ROSA LABROSA-SA-2023-2132Advisory ROSA-SA-2023-2132
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1.7 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:S/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
9.7%
Software: pesign 0.109
OS: rosa-server79
package_evr_string: pesign-0.109-11
CVE-ID: CVE-2022-3560
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC: A flaw has been found in the design. The pesign package provides a systemd service used to run the pesign daemon. This service module runs a script to set ACLs for the /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the ‘pesign’ group. However, the script does not check for symbolic links. This could allow an attacker to gain access to privileged files and directories using a path traversal attack.
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update command
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1.7 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:S/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
9.7%