CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
performancecopilot/pcp
is vulnerable to Creation of Temporary File With Insecure Permissions. The vulnerability is due to the mixed privilege levels utilized by systemd services associated with the package. While certain services operate within the confines of limited user/group privileges, others are granted full root privileges. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged users. Specifically, this may lead to the compromise of user isolation and facilitate local-to-root exploits, particularly through symlink attacks.