Lucene search

K
cveDocument Fdn.CVE-2021-25630
HistoryFeb 23, 2021 - 4:15 p.m.

CVE-2021-25630

2021-02-2316:15:13
CWE-269
Document Fdn.
web.nvd.nist.gov
21
loolforkit
privilege escalation
cve-2021-25630
nvd

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0

Percentile

12.6%

“loolforkit” is a privileged program that is supposed to be run by a special, non-privileged “lool” user. Before doing anything else “loolforkit” checks, if it was invoked by the “lool” user, and refuses to run with privileges, if it’s not the case. In the vulnerable version of “loolforkit” this check was wrong, so a normal user could start “loolforkit” and eventually get local root privileges.

Affected configurations

Nvd
Node
collaboraofficeonlineRange4.2.04.2.13
OR
collaboraofficeonlineRange6.4.06.4.3
VendorProductVersionCPE
collaboraofficeonline*cpe:2.3:a:collaboraoffice:online:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Collabora Online",
    "vendor": "Collabora Productivity",
    "versions": [
      {
        "lessThan": "4.2.13",
        "status": "affected",
        "version": "Collabora Online 4.2",
        "versionType": "custom"
      },
      {
        "lessThan": "6.4.3",
        "status": "affected",
        "version": "Collabora Online 6.4",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "LibreOffice Online",
    "vendor": "The Document Foundation",
    "versions": [
      {
        "lessThanOrEqual": "7.0.1.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0

Percentile

12.6%

Related for CVE-2021-25630