{
  "version": "1",
  "package": [
    {
      "name": "coreutils-native",
      "layer": "meta",
      "version": "9.4",
      "products": [
        {
          "product": "coreutils",
          "cvesInRecord": "Yes"
        }
      ],
      "issue": [
        {
          "id": "CVE-2005-1039",
          "summary": "Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2) mknod, or (3) mkfifo is running with the -m switch, allows local users to modify permissions of other files.",
          "scorev2": "3.7",
          "scorev3": "0.0",
          "vector": "LOCAL",
          "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1039"
        },
        {
          "id": "CVE-2008-1946",
          "summary": "The default configuration of su in /etc/pam.d/su in GNU coreutils 5.2.1 allows local users to gain the privileges of a (1) locked or (2) expired account by entering the account name on the command line, related to improper use of the pam_succeed_if.so module.",
          "scorev2": "4.4",
          "scorev3": "0.0",
          "vector": "LOCAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1946"
        },
        {
          "id": "CVE-2009-4135",
          "summary": "The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp.",
          "scorev2": "4.4",
          "scorev3": "0.0",
          "vector": "LOCAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4135"
        },
        {
          "id": "CVE-2014-9471",
          "summary": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.",
          "scorev2": "7.5",
          "scorev3": "0.0",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9471"
        },
        {
          "id": "CVE-2015-1865",
          "summary": "fts.c in coreutils 8.4 allows local users to delete arbitrary files.",
          "scorev2": "3.3",
          "scorev3": "4.7",
          "vector": "LOCAL",
          "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1865"
        },
        {
          "id": "CVE-2015-4041",
          "summary": "The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.",
          "scorev2": "4.6",
          "scorev3": "7.8",
          "vector": "LOCAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4041"
        },
        {
          "id": "CVE-2015-4042",
          "summary": "Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.",
          "scorev2": "7.5",
          "scorev3": "9.8",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4042"
        },
        {
          "id": "CVE-2016-2781",
          "summary": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
          "scorev2": "2.1",
          "scorev3": "6.5",
          "vector": "LOCAL",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
          "status": "Ignored",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2781",
          "detail": "disputed",
          "description": "runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
        },
        {
          "id": "CVE-2017-18018",
          "summary": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.",
          "scorev2": "1.9",
          "scorev3": "4.7",
          "vector": "LOCAL",
          "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18018"
        },
        {
          "id": "CVE-2024-0684",
          "summary": "A flaw was found in the GNU coreutils \"split\" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.",
          "scorev2": "0.0",
          "scorev3": "5.5",
          "vector": "LOCAL",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0684"
        }
      ]
    }
  ]
}