Lucene search

K
rosalinuxROSA LABROSA-SA-2021-1980
HistoryJul 02, 2021 - 6:12 p.m.

Advisory ROSA-SA-2021-1980

2021-07-0218:12:00
ROSA LAB
abf.rosalinux.ru
13
advisory
sudo 1.8.23
cobalt 7.9
cve-2021-23239
cve-2021-23240
low
high
race condition
symbolic link
arbitrary path
file ownership
privilege escalation
selinux
rbac

CVSS2

4.4

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

40.7%

Software: sudo 1.8.23
OS: Cobalt 7.9

CVE-ID: CVE-2021-23239
CVE-Crit: LOW
CVE-DESC: The sudoedit personality in sudo before 1.9.5 can allow a local unprivileged user to perform arbitrary directory existence tests by winning the sudo_edit.c race condition when replacing a user-controlled directory with a symbolic link to an arbitrary path.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-23240
CVE-Crit: HIGH
CVE-DESC: selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and elevate privileges by replacing a temporary file with a symbolic link to an arbitrary target file. This affects SELinux RBAC support for SELinux RBAC in permissive mode. Machines without SELinux are not vulnerable.
CVE-STATUS: default
CVE-REV: default

OSVersionArchitecturePackageVersionFilename
Cobaltanynoarchsudo< 1.8.23UNKNOWN

CVSS2

4.4

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

40.7%