Local root exploit via inclusion of attacker controlled shell script
CVE-2018-19636

7.3HIGH

Key Information:

Vendor: Suse
Status: Supportutils
Vendor: CVE Published:; 5 March 2019

Summary

Supportutils, before version 3.1-5.7.1, when run with command line argument -A searched the file system for a ndspath binary. If an attacker provides one at an arbitrary location it is executed with root privileges

Affected Version(s)

supportutils < 3.1-5.7.1

References

https://bugzilla.suse.com/show_bug.cgi?id=1117751

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-security-announce/2019...

vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2019
Vulnerability Reserved
Nov 28, 2018

Credit

Vítězslav Čížek of SUSE