Mlocate Vulnerability Allows Arbitrary File Read by Root Users
CVE-2023-32190

8.5HIGH

Key Information:

Vendor: Suse
Status: Opensuse Tumbleweed
Vendor: CVE Published:; 16 October 2024

Summary

mlocate's post-installation script contains vulnerabilities that enable users with RUN_UPDATEDB_AS privileges to alter file permissions in a manner that makes arbitrary files world-readable. This occurs due to inadequate checks and insecure file operations executed with root-level privileges, allowing unauthorized access to sensitive data. The flaw underscores the importance of implementing stricter user permissions and validating file operations to safeguard system integrity.

Affected Version(s)

openSUSE Tumbleweed ? < 0.26-37.1

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32190

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
May 4, 2023

Credit

Johannes Segitz of SUSE