ROSA LABROSA-SA-2023-2225Advisory ROSA-SA-2023-2225
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1.7 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:S/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
9.7%
software: pesign 116
WASP: ROSA-CHROME
package_evr_string: pesign-116-1.src.rpm
CVE-ID: CVE-2022-3560
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: A flaw has been discovered in the design. The pesign package provides a systemd service used to run the pesign daemon. This service module runs a script to set ACL lists for the /etc/pki/pesign and /run/pesign directories to grant access rights to users in the “pesign” group. However, the script does not check for symbolic links. This could allow an attacker to gain access to privileged files and directories through a path traversal attack.
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update mosquitto
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1.7 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:S/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
9.7%