CVE-2020-8013

A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 11 set permissions intended for specific binaries on other binaries because it erroneously followed symlinks. The symlinks can't be controlled by attackers on default systems, so exploitation is difficult. This issue affects: SUSE Linux Enterprise Server 12 permissions versions prior to 2015.09.28.1626-17.27.1. SUSE Linux Enterprise Server 15 permissions versions prior to 20181116-9.23.1. SUSE Linux Enterprise Server 11 permissions versions prior to 2013.1.7-0.6.12.1.

CVSS v3 2.2 LOW
CVSS v2.0 1.9 LOW

2.2^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

1.9^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 3.4 / Impact : 2.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html	Mailing List Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1163922	Issue Tracking Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html	Mailing List Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1163922	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:suse:linux_enterprise_server:11:::::::*
	cpe:2.3:o:suse:linux_enterprise_server:12:::::::*
	cpe:2.3:o:suse:linux_enterprise_server:15:::::::*

Configuration 2 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

History

21 Nov 2024, 05:38

Type	Values Removed	Values Added
References	~~() http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html - Mailing List, Vendor Advisory~~	() http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html - Mailing List, Vendor Advisory
References	~~() https://bugzilla.suse.com/show_bug.cgi?id=1163922 - Issue Tracking, Vendor Advisory~~	() https://bugzilla.suse.com/show_bug.cgi?id=1163922 - Issue Tracking, Vendor Advisory
CVSS	v2 : ~~1.9~~ v3 : ~~2.5~~	v2 : 1.9 v3 : 2.2

Information

Published : 2020-03-02 17:15

Updated : 2024-11-21 05:38

NVD link : CVE-2020-8013

Mitre link : CVE-2020-8013

CVE.ORG link : CVE-2020-8013

JSON object : View

Products Affected

suse

linux_enterprise_server

opensuse

leap

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

2.2 /10

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

1.9 /10

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-8013

2.2^/10

1.9^/10

Attach tags to `CVE-2020-8013`