openldap2: /usr/lib/openldap/start allows ldap user/group to recursively chown arbitrary directory trees to itself
CVE-2022-31253

7.1HIGH

Key Information:

Vendor: Opensuse
Status: Factory
Vendor: CVE Published:; 27 October 2022

What is CVE-2022-31253?

A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root. This issue affects: openSUSE Factory openldap2 versions prior to 2.6.3-404.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Factory openldap2 < 2.6.3-404.1

References

https://bugzilla.suse.com/show_bug.cgi?id=1202931

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 27, 2022
Vulnerability Reserved
May 20, 2022

Credit

Matthias Gerstner from SUSE

JSON

Opensuse

What is CVE-2022-31253?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.