Cron
by Vixie
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-9525 | Med | 0.44 | 6.7 | 0.00 | Jun 9, 2017 | In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs. | ||
| CVE-2024-43688 | Hig | 0.40 | 7.3 | 0.00 | Aug 20, 2024 | cron/entry.c in vixie cron before 9cc8ab1, as used in OpenBSD 7.4 and 7.5, allows a heap-based buffer underflow and memory corruption. NOTE: this issue was introduced during a May 2023 refactoring. | ||
| CVE-1999-0769 | 0.03 | — | 0.00 | Aug 25, 1999 | Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable. | |||
| CVE-2019-9705 | 0.00 | — | 0.00 | Mar 12, 2019 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted. | |||
| CVE-2019-9704 | 0.00 | — | 0.00 | Mar 12, 2019 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked. | |||
| CVE-2019-9706 | 0.00 | — | 0.00 | Mar 12, 2019 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error. | |||
| CVE-2007-1856 | 0.00 | — | 0.00 | Apr 18, 2007 | Vixie Cron before 4.1-r10 on Gentoo Linux is installed with insecure permissions, which allows local users to cause a denial of service (cron failure) by creating hard links, which results in a failed st_nlink check in database.c. | |||
| CVE-2006-2607 | 0.00 | — | 0.00 | May 25, 2006 | do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process… | |||
| CVE-2005-1038 | 0.00 | — | 0.00 | May 2, 2005 | crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. | |||
| CVE-2001-0560 | 0.00 | — | 0.00 | Aug 22, 2001 | Buffer overflow in Vixie cron 3.0.1-56 and earlier could allow a local attacker to gain additional privileges via a long username (> 20 characters). | |||
| CVE-1999-0872 | 0.00 | — | 0.00 | Aug 25, 1999 | Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file. | |||
| CVE-1999-0297 | 0.00 | — | 0.00 | Dec 12, 1996 | Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable. |
- risk 0.44cvss 6.7epss 0.00
In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.
- risk 0.40cvss 7.3epss 0.00
cron/entry.c in vixie cron before 9cc8ab1, as used in OpenBSD 7.4 and 7.5, allows a heap-based buffer underflow and memory corruption. NOTE: this issue was introduced during a May 2023 refactoring.
- CVE-1999-0769Aug 25, 1999risk 0.03cvss —epss 0.00
Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable.
- CVE-2019-9705Mar 12, 2019risk 0.00cvss —epss 0.00
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted.
- CVE-2019-9704Mar 12, 2019risk 0.00cvss —epss 0.00
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked.
- CVE-2019-9706Mar 12, 2019risk 0.00cvss —epss 0.00
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error.
- CVE-2007-1856Apr 18, 2007risk 0.00cvss —epss 0.00
Vixie Cron before 4.1-r10 on Gentoo Linux is installed with insecure permissions, which allows local users to cause a denial of service (cron failure) by creating hard links, which results in a failed st_nlink check in database.c.
- CVE-2006-2607May 25, 2006risk 0.00cvss —epss 0.00
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process…
- CVE-2005-1038May 2, 2005risk 0.00cvss —epss 0.00
crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235.
- CVE-2001-0560Aug 22, 2001risk 0.00cvss —epss 0.00
Buffer overflow in Vixie cron 3.0.1-56 and earlier could allow a local attacker to gain additional privileges via a long username (> 20 characters).
- CVE-1999-0872Aug 25, 1999risk 0.00cvss —epss 0.00
Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file.
- CVE-1999-0297Dec 12, 1996risk 0.00cvss —epss 0.00
Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.