CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TOCTOU race condition. The routine to check the log and report file permissions was not working as intended and could be bypassed locally. Because of the race, an unprivileged attacker can set up a log and report file, and control that up to the point where the specific routine is doing its check. After that, the file can be removed, recreated, and used for additional attacks.
References
Configurations
History
07 Nov 2023, 03:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
07 Nov 2022, 13:37
Type | Values Removed | Values Added |
---|---|---|
First Time |
Fedoraproject
Fedoraproject fedora |
|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFHIX6RTHCK37FXMAAXP4KGAMLUFDUD/ - Mailing List, Third Party Advisory | |
References | (MISC) https://cwe.mitre.org/data/definitions/367.html - Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDCHEKNR3HPJRNHE5PYKFH5GNBADTPA7/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* |
10 Jul 2022, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2020-06-18 18:15
Updated : 2023-12-10 13:27
NVD link : CVE-2020-13882
Mitre link : CVE-2020-13882
CVE.ORG link : CVE-2020-13882
JSON object : View
Products Affected
fedoraproject
- fedora
cisofy
- lynis
CWE
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition