CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
14.2%
init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely
reuses a preexisting temporary directory in the predictable location
/tmp/timeshift. It follows symlinks in this location or uses directories
owned by unprivileged users. Because Timeshift also executes scripts under
this location, an attacker can attempt to win a race condition to replace
scripts created by Timeshift with attacker-controlled scripts. Upon
success, an attacker-controlled script is executed with full root
privileges. This logic is practically always triggered when Timeshift runs
regardless of the command-line arguments used.
bugzilla.suse.com/show_bug.cgi?id=1165802
github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462
github.com/teejee2008/timeshift/releases/tag/v20.03
launchpad.net/bugs/cve/CVE-2020-10174
nvd.nist.gov/vuln/detail/CVE-2020-10174
security-tracker.debian.org/tracker/CVE-2020-10174
ubuntu.com/security/notices/USN-4312-1
www.cve.org/CVERecord?id=CVE-2020-10174
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
14.2%