Lucene search

GitHub_MCVELIST:CVE-2022-39245

HistorySep 26, 2022 - 1:55 p.m.

CVE-2022-39245 Mist vulnerable to user providing a Sudo binary for authentication checks

2022-09-2613:55:10

CWE-287

CWE-305

GitHub_M

www.cve.org

mist

command-line interface

user-provided

sudo binary

authentication checks

arbitrary commands

root permissions

patch.

8.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Mist is the command-line interface for the makedeb Package Repository. Prior to version 0.9.5, a user-provided sudo binary via the PATH variable can allow a local user to run arbitrary commands on the user’s system with root permissions. Versions 0.9.5 and later contain a patch. No known workarounds exist.

CNA Affected

[
  {
    "product": "mist",
    "vendor": "makedeb",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.9.5"
      }
    ]
  }
]

References

github.com/makedeb/mist/commit/e257561a32cffe3c541b265097959adaea3d6b67

github.com/makedeb/mist/releases/tag/v0.9.5

github.com/makedeb/mist/security/advisories/GHSA-pxg4-7c7r-2ww6

8.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for CVELIST:CVE-2022-39245