Mlocate Vulnerability Allows Arbitrary File Read by Root Users
CVE-2023-32190

Currently unrated

Key Information:

Vendor: Suse
Status: Opensuse Tumbleweed
Vendor: CVE Published:; 16 October 2024

Summary

mlocate's post-installation script contains vulnerabilities that enable users with RUN_UPDATEDB_AS privileges to alter file permissions in a manner that makes arbitrary files world-readable. This occurs due to inadequate checks and insecure file operations executed with root-level privileges, allowing unauthorized access to sensitive data. The flaw underscores the importance of implementing stricter user permissions and validating file operations to safeguard system integrity.

Affected Version(s)

openSUSE Tumbleweed ? < 0.26-37.1

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32190

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
May 4, 2023

Credit

Johannes Segitz of SUSE