trousers: Local privilege escalation from tss to root
CVE-2019-18898

7.7HIGH

Key Information:

Vendor: Suse
Status: Suse Linux Enterprise Server 15 Sp1; Factory
Vendor: CVE Published:; 23 January 2020

Summary

UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14-6.3.1. openSUSE Factory trousers versions prior to 0.3.14-7.1.

Affected Version(s)

Factory trousers < 0.3.14-7.1

SUSE Linux Enterprise Server 15 SP1 trousers < 0.3.14-6.3.1

References

http://lists.opensuse.org/opensuse-security-announce/2020...

vendor-advisoryx_refsource_SUSE

https://bugzilla.suse.com/show_bug.cgi?id=1157651

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 23, 2020
Vulnerability Reserved
Nov 12, 2019

Credit

Johannes Segitz from SUSE