Lucene search

RedhatCVE-2020-36772

HistoryJan 22, 2024 - 3:15 p.m.

CVE-2020-36772

2024-01-2215:15:07

CWE-610

CWE-73

redhat

web.nvd.nist.gov

cloudlinux

cagefs

cve-2020-36772

security

file paths

sendmail proxy

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

4.7

Confidence

High

EPSS

Percentile

5.1%

JSON

CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment.

Affected configurations

Nvd

Vulners

Node

cloudlinuxcagefsRange<7.1.1-1

VendorProductVersionCPE
cloudlinuxcagefs*cpe:2.3:a:cloudlinux:cagefs:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cloudlinux	cagefs	*	cpe:2.3:a:cloudlinux:cagefs::::::::

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "cagefs",
    "vendor": "Cloudlinux OS",
    "versions": [
      {
        "status": "affected",
        "version": "7.0.8-2"
      },
      {
        "status": "unaffected",
        "version": "7.1.1-1"
      }
    ]
  }
]

References

packetstormsecurity.com/files/176791/CloudLinux-CageFS-7.0.8-2-Insufficiently-Restricted-Proxy-Command.html

seclists.org/fulldisclosure/2024/Jan/25

blog.cloudlinux.com/lve-manager-lve-stats-lve-utils-and-alt-python27-cllib-have-been-rolled-out-to-100

github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

4.7

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVE-2020-36772