Local privilege escalation from user news to root in the packaging of inn
CVE-2019-3692

7.7HIGH

Key Information:

Vendor
Suse
Status
Suse Linux Enterprise Server 11
Factory
Leap 15.1
Vendor
CVE Published:
24 January 2020

Summary

The packaging of inn on SUSE Linux Enterprise Server 11; openSUSE Factory, Leap 15.1 allows local attackers to escalate from user inn to root via symlink attacks. This issue affects: SUSE Linux Enterprise Server 11 inn version 2.4.2-170.21.3.1 and prior versions. openSUSE Factory inn version 2.6.2-2.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.2.47 and prior versions.

Affected Version(s)

Factory inn <= 2.6.2-2.2

Leap 15.1 inn <= 2.5.4-lp151.2.47

SUSE Linux Enterprise Server 11 inn <= 2.4.2-170.21.3.1

References

http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisoryx_refsource_SUSE
https://bugzilla.suse.com/show_bug.cgi?id=1154302
x_refsource_CONFIRM

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Johannes Segitz of SUSE
.