CVE-2021-20001

2022-02-1120:15:07

Debian Security Bug Tracker

security-tracker.debian.org

debian-edu-config configuration files privilege escalation

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

58.5%

JSON

It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.

OSVersionArchitecturePackageVersionFilename
Debian12alldebian-edu-config< 2.12.16debian-edu-config_2.12.16_all.deb
Debian11alldebian-edu-config< 2.11.56+deb11u3debian-edu-config_2.11.56+deb11u3_all.deb
Debian999alldebian-edu-config< 2.12.16debian-edu-config_2.12.16_all.deb
Debian13alldebian-edu-config< 2.12.16debian-edu-config_2.12.16_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	debian-edu-config	< 2.12.16	debian-edu-config_2.12.16_all.deb
Debian	11	all	debian-edu-config	< 2.11.56+deb11u3	debian-edu-config_2.11.56+deb11u3_all.deb
Debian	999	all	debian-edu-config	< 2.12.16	debian-edu-config_2.12.16_all.deb
Debian	13	all	debian-edu-config	< 2.12.16	debian-edu-config_2.12.16_all.deb