CVE-2017-10140 - log back

CVE-2017-10140 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Information disclosure
Description
+ It was found that Berkeley DB reads the DB_CONFIG configuration file from the current working directory by default. This happens when calling db_create() with dbenv=NULL; or using the dbm_open() function. This behavior leads to a security vulnerability because in the case of setuid or setgid commands, excerpts of the file are revealed to the calling user (and maybe more harm could be done with specially crafted DB_CONFIG files).
References
+ http://seclists.org/oss-sec/2017/q2/452
+ http://www.postfix.org/announcements/postfix-3.2.2.html
+ https://git.exim.org/exim.git/commitdiff/98bf975ca462bebeaa1325d72381847c5118ff14
Notes