{"id":"CVE-2019-3689","details":"The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.","modified":"2026-03-15T22:31:35.425931Z","published":"2019-09-19T14:15:10.650Z","related":["SUSE-SU-2019:2771-1","SUSE-SU-2019:2776-1","SUSE-SU-2019:2781-1","SUSE-SU-2019:2782-1","openSUSE-SU-2019:2408-1","openSUSE-SU-2019:2435-1","openSUSE-SU-2024:11090-1","openSUSE-SU-2024:11307-1"],"references":[{"type":"WEB","url":"https://git.linux-nfs.org/?p=steved/nfs-utils.git%3Ba=commitdiff%3Bh=fee2cc29e888f2ced6a76990923aef19d326dc0e"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00026.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4400-1/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00071.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00006.html"},{"type":"FIX","url":"https://bugzilla.suse.com/show_bug.cgi?id=1150733"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3689.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.3.0-34.18.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.1-6.10.2"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}