sendmail: mail to root privilege escalation via sm-client.pre script

CVE-2022-31256

7.7HIGH

Key Information

Vendor: Suse
Status: Opensuse Factory
Vendor: CVE Published:; 26 October 2022

Summary

A Improper Link Resolution Before File Access ('Link Following') vulnerability in a script called by the sendmail systemd service of openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: SUSE openSUSE Factory sendmail versions prior to 8.17.1-1.1.

Affected Version(s)

openSUSE Factory < 8.17.1-1.1

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 7.8 to: 7.7 - (HIGH)
Feb 22, 2024
Vulnerability published.
Oct 26, 2022
Vulnerability Reserved.
May 20, 2022

Collectors

NVD DatabaseMitre Database

Credit

Matthias Gerstner and Filippo Bonazzi from SUSE