{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright © Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/vex/2009/cve-2009-1143.json" } ], "title": "open-vm-tools: access bypass due to realpath race condition in mount.vmhgfs (aka hgfsmounter)", "tracking": { "current_release_date": "2025-11-21T11:52:36+00:00", "generator": { "date": "2025-11-21T11:52:36+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.12" } }, "id": "CVE-2009-1143", "initial_release_date": "2009-01-01T00:00:00+00:00", "revision_history": [ { "date": "2009-01-01T00:00:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2025-04-25T21:20:07+00:00", "number": "2", "summary": "Current version" }, { "date": "2025-11-21T11:52:36+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 7", "product": { "name": "Red Hat Enterprise Linux 7", "product_id": "red_hat_enterprise_linux_7", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 8", "product": { "name": "Red Hat Enterprise Linux 8", "product_id": "red_hat_enterprise_linux_8", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 9", "product": { "name": "Red Hat Enterprise Linux 9", "product_id": "red_hat_enterprise_linux_9", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:9" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux 9" }, { "category": "product_version", "name": "open-vm-tools-devel", "product": { "name": "open-vm-tools-devel", "product_id": "open-vm-tools-devel", "product_identification_helper": { "purl": "pkg:rpm/redhat/open-vm-tools-devel" } } }, { "category": "product_version", "name": "open-vm-tools.src", "product": { "name": "open-vm-tools.src", "product_id": "open-vm-tools.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/open-vm-tools?arch=src" } } }, { "category": "product_version", "name": "open-vm-tools-test", "product": { "name": "open-vm-tools-test", "product_id": "open-vm-tools-test", "product_identification_helper": { "purl": "pkg:rpm/redhat/open-vm-tools-test" } } }, { "category": "product_version", "name": "open-vm-tools", "product": { "name": "open-vm-tools", "product_id": "open-vm-tools", "product_identification_helper": { "purl": "pkg:rpm/redhat/open-vm-tools" } } }, { "category": "product_version", "name": "open-vm-tools-desktop", "product": { "name": "open-vm-tools-desktop", "product_id": "open-vm-tools-desktop", "product_identification_helper": { "purl": "pkg:rpm/redhat/open-vm-tools-desktop" } } }, { "category": "product_version", "name": "open-vm-tools-sdmp", "product": { "name": "open-vm-tools-sdmp", "product_id": "open-vm-tools-sdmp", "product_identification_helper": { "purl": "pkg:rpm/redhat/open-vm-tools-sdmp" } } }, { "category": "product_version", "name": "open-vm-tools-salt-minion", "product": { "name": "open-vm-tools-salt-minion", "product_id": "open-vm-tools-salt-minion", "product_identification_helper": { "purl": "pkg:rpm/redhat/open-vm-tools-salt-minion" } } } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools as a component of Red Hat Enterprise Linux 7", "product_id": "red_hat_enterprise_linux_7:open-vm-tools" }, "product_reference": "open-vm-tools", "relates_to_product_reference": "red_hat_enterprise_linux_7" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-desktop as a component of Red Hat Enterprise Linux 7", "product_id": "red_hat_enterprise_linux_7:open-vm-tools-desktop" }, "product_reference": "open-vm-tools-desktop", "relates_to_product_reference": "red_hat_enterprise_linux_7" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-devel as a component of Red Hat Enterprise Linux 7", "product_id": "red_hat_enterprise_linux_7:open-vm-tools-devel" }, "product_reference": "open-vm-tools-devel", "relates_to_product_reference": "red_hat_enterprise_linux_7" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-test as a component of Red Hat Enterprise Linux 7", "product_id": "red_hat_enterprise_linux_7:open-vm-tools-test" }, "product_reference": "open-vm-tools-test", "relates_to_product_reference": "red_hat_enterprise_linux_7" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools.src as a component of Red Hat Enterprise Linux 7", "product_id": "red_hat_enterprise_linux_7:open-vm-tools.src" }, "product_reference": "open-vm-tools.src", "relates_to_product_reference": "red_hat_enterprise_linux_7" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools as a component of Red Hat Enterprise Linux 8", "product_id": "red_hat_enterprise_linux_8:open-vm-tools" }, "product_reference": "open-vm-tools", "relates_to_product_reference": "red_hat_enterprise_linux_8" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-desktop as a component of Red Hat Enterprise Linux 8", "product_id": "red_hat_enterprise_linux_8:open-vm-tools-desktop" }, "product_reference": "open-vm-tools-desktop", "relates_to_product_reference": "red_hat_enterprise_linux_8" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-salt-minion as a component of Red Hat Enterprise Linux 8", "product_id": "red_hat_enterprise_linux_8:open-vm-tools-salt-minion" }, "product_reference": "open-vm-tools-salt-minion", "relates_to_product_reference": "red_hat_enterprise_linux_8" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-sdmp as a component of Red Hat Enterprise Linux 8", "product_id": "red_hat_enterprise_linux_8:open-vm-tools-sdmp" }, "product_reference": "open-vm-tools-sdmp", "relates_to_product_reference": "red_hat_enterprise_linux_8" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools.src as a component of Red Hat Enterprise Linux 8", "product_id": "red_hat_enterprise_linux_8:open-vm-tools.src" }, "product_reference": "open-vm-tools.src", "relates_to_product_reference": "red_hat_enterprise_linux_8" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools as a component of Red Hat Enterprise Linux 9", "product_id": "red_hat_enterprise_linux_9:open-vm-tools" }, "product_reference": "open-vm-tools", "relates_to_product_reference": "red_hat_enterprise_linux_9" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-desktop as a component of Red Hat Enterprise Linux 9", "product_id": "red_hat_enterprise_linux_9:open-vm-tools-desktop" }, "product_reference": "open-vm-tools-desktop", "relates_to_product_reference": "red_hat_enterprise_linux_9" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-salt-minion as a component of Red Hat Enterprise Linux 9", "product_id": "red_hat_enterprise_linux_9:open-vm-tools-salt-minion" }, "product_reference": "open-vm-tools-salt-minion", "relates_to_product_reference": "red_hat_enterprise_linux_9" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-sdmp as a component of Red Hat Enterprise Linux 9", "product_id": "red_hat_enterprise_linux_9:open-vm-tools-sdmp" }, "product_reference": "open-vm-tools-sdmp", "relates_to_product_reference": "red_hat_enterprise_linux_9" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools-test as a component of Red Hat Enterprise Linux 9", "product_id": "red_hat_enterprise_linux_9:open-vm-tools-test" }, "product_reference": "open-vm-tools-test", "relates_to_product_reference": "red_hat_enterprise_linux_9" }, { "category": "default_component_of", "full_product_name": { "name": "open-vm-tools.src as a component of Red Hat Enterprise Linux 9", "product_id": "red_hat_enterprise_linux_9:open-vm-tools.src" }, "product_reference": "open-vm-tools.src", "relates_to_product_reference": "red_hat_enterprise_linux_9" } ] }, "vulnerabilities": [ { "cve": "CVE-2009-1143", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access ('Link Following')" }, "discovery_date": "2023-01-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "red_hat_enterprise_linux_9:open-vm-tools", "red_hat_enterprise_linux_9:open-vm-tools-desktop", "red_hat_enterprise_linux_9:open-vm-tools-salt-minion", "red_hat_enterprise_linux_9:open-vm-tools-sdmp", "red_hat_enterprise_linux_9:open-vm-tools-test", "red_hat_enterprise_linux_9:open-vm-tools.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2158066" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in open-vm-tools. This flaw allows local users to bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter).", "title": "Vulnerability description" }, { "category": "summary", "text": "open-vm-tools: access bypass due to realpath race condition in mount.vmhgfs (aka hgfsmounter)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "red_hat_enterprise_linux_7:open-vm-tools", "red_hat_enterprise_linux_7:open-vm-tools-desktop", "red_hat_enterprise_linux_7:open-vm-tools-devel", "red_hat_enterprise_linux_7:open-vm-tools-test", "red_hat_enterprise_linux_7:open-vm-tools.src", "red_hat_enterprise_linux_8:open-vm-tools", "red_hat_enterprise_linux_8:open-vm-tools-desktop", "red_hat_enterprise_linux_8:open-vm-tools-salt-minion", "red_hat_enterprise_linux_8:open-vm-tools-sdmp", "red_hat_enterprise_linux_8:open-vm-tools.src" ], "known_not_affected": [ "red_hat_enterprise_linux_9:open-vm-tools", "red_hat_enterprise_linux_9:open-vm-tools-desktop", "red_hat_enterprise_linux_9:open-vm-tools-salt-minion", "red_hat_enterprise_linux_9:open-vm-tools-sdmp", "red_hat_enterprise_linux_9:open-vm-tools-test", "red_hat_enterprise_linux_9:open-vm-tools.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-1143" }, { "category": "external", "summary": "RHBZ#2158066", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158066" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-1143", "url": "https://www.cve.org/CVERecord?id=CVE-2009-1143" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-1143", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1143" }, { "category": "external", "summary": "https://bugzilla.suse.com/show_bug.cgi?id=372070", "url": "https://bugzilla.suse.com/show_bug.cgi?id=372070" } ], "release_date": "2022-11-23T00:00:00+00:00", "remediations": [ { "category": "no_fix_planned", "details": "Out of support scope", "product_ids": [ "red_hat_enterprise_linux_7:open-vm-tools", "red_hat_enterprise_linux_7:open-vm-tools-desktop", "red_hat_enterprise_linux_7:open-vm-tools-devel", "red_hat_enterprise_linux_7:open-vm-tools-test", "red_hat_enterprise_linux_7:open-vm-tools.src" ] }, { "category": "none_available", "details": "Fix deferred", "product_ids": [ "red_hat_enterprise_linux_8:open-vm-tools", "red_hat_enterprise_linux_8:open-vm-tools-desktop", "red_hat_enterprise_linux_8:open-vm-tools-salt-minion", "red_hat_enterprise_linux_8:open-vm-tools-sdmp", "red_hat_enterprise_linux_8:open-vm-tools.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "red_hat_enterprise_linux_7:open-vm-tools", "red_hat_enterprise_linux_7:open-vm-tools-desktop", "red_hat_enterprise_linux_7:open-vm-tools-devel", "red_hat_enterprise_linux_7:open-vm-tools-test", "red_hat_enterprise_linux_7:open-vm-tools.src", "red_hat_enterprise_linux_8:open-vm-tools", "red_hat_enterprise_linux_8:open-vm-tools-desktop", "red_hat_enterprise_linux_8:open-vm-tools-salt-minion", "red_hat_enterprise_linux_8:open-vm-tools-sdmp", "red_hat_enterprise_linux_8:open-vm-tools.src", "red_hat_enterprise_linux_9:open-vm-tools", "red_hat_enterprise_linux_9:open-vm-tools-desktop", "red_hat_enterprise_linux_9:open-vm-tools-salt-minion", "red_hat_enterprise_linux_9:open-vm-tools-sdmp", "red_hat_enterprise_linux_9:open-vm-tools-test", "red_hat_enterprise_linux_9:open-vm-tools.src" ] } ], "threats": [ { "category": "impact", "details": "Low", "product_ids": [ "red_hat_enterprise_linux_7:open-vm-tools", "red_hat_enterprise_linux_7:open-vm-tools-desktop", "red_hat_enterprise_linux_7:open-vm-tools-devel", "red_hat_enterprise_linux_7:open-vm-tools-test", "red_hat_enterprise_linux_7:open-vm-tools.src", "red_hat_enterprise_linux_8:open-vm-tools", "red_hat_enterprise_linux_8:open-vm-tools-desktop", "red_hat_enterprise_linux_8:open-vm-tools-salt-minion", "red_hat_enterprise_linux_8:open-vm-tools-sdmp", "red_hat_enterprise_linux_8:open-vm-tools.src", "red_hat_enterprise_linux_9:open-vm-tools", "red_hat_enterprise_linux_9:open-vm-tools-desktop", "red_hat_enterprise_linux_9:open-vm-tools-salt-minion", "red_hat_enterprise_linux_9:open-vm-tools-sdmp", "red_hat_enterprise_linux_9:open-vm-tools-test", "red_hat_enterprise_linux_9:open-vm-tools.src" ] } ], "title": "open-vm-tools: access bypass due to realpath race condition in mount.vmhgfs (aka hgfsmounter)" } ] }