The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle.
http://article.gmane.org/gmane.comp.file-systems.xfs.general/33771
http://www.openwall.com/lists/oss-security/2010/08/18/2
http://article.gmane.org/gmane.comp.file-systems.xfs.general/33767
http://www.openwall.com/lists/oss-security/2010/08/19/5
http://www.securityfocus.com/bid/42527
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35
http://article.gmane.org/gmane.comp.file-systems.xfs.general/33769
https://bugzilla.redhat.com/show_bug.cgi?id=624923
http://oss.sgi.com/archives/xfs/2010-06/msg00198.html
http://article.gmane.org/gmane.comp.file-systems.xfs.general/33768
http://oss.sgi.com/archives/xfs/2010-06/msg00191.html
http://www.redhat.com/support/errata/RHSA-2010-0723.html
http://secunia.com/advisories/42758
http://www.ubuntu.com/usn/USN-1041-1
http://www.vupen.com/english/advisories/2011/0070
http://secunia.com/advisories/43161
http://www.ubuntu.com/usn/USN-1057-1
http://www.vupen.com/english/advisories/2011/0280
http://support.avaya.com/css/P8/documents/100113326
http://secunia.com/advisories/46397
http://www.vmware.com/security/advisories/VMSA-2011-0012.html
http://www.securityfocus.com/archive/1/520102/100/0/threaded
Source: MITRE
Published: 2010-09-30
Updated: 2023-02-13
Type: CWE-200
Base Score: 6.4
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Impact Score: 4.9
Exploitability Score: 10
Severity: MEDIUM
Base Score: 8.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Impact Score: 5.2
Exploitability Score: 2.8
Severity: HIGH