Local privilege escalation from user wwwrun to root in the packaging of mailman

CVE-2019-3693

7.7HIGH

Key Information

Vendor: Suse
Status: Suse Linux Enterprise Server 11; Suse Linux Enterprise Server 12; Leap 15.1
Vendor: CVE Published:; 24 January 2020

Summary

A symlink following vulnerability in the packaging of mailman in SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. This issue affects: SUSE Linux Enterprise Server 11 mailman versions prior to 2.1.15-9.6.15.1. SUSE Linux Enterprise Server 12 mailman versions prior to 2.1.17-3.11.1. openSUSE Leap 15.1 mailman version 2.1.29-lp151.2.14 and prior versions.

Affected Version(s)

SUSE Linux Enterprise Server 11 < 2.1.15-9.6.15.1

SUSE Linux Enterprise Server 12 < 2.1.17-3.11.1

Leap 15.1 <= 2.1.29-lp151.2.14

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 7.8 to: 7.7 - (HIGH)
Feb 22, 2024
Vulnerability published.
Jan 24, 2020
Vulnerability Reserved.
Jan 3, 2019

Collectors

NVD DatabaseMitre Database

Credit

Johannes Segitz of SUSE