CVE-2021-25317

A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions.

CVSS v3 3.3 LOW
CVSS v2.0 2.1 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1184161	Issue Tracking Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWPGZLT3U776Q5YPPSA6LGFWWBDWBVH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H74BP746O5NNVCBUTLLZYAFBPESFVECV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S37IDQGHTORQ3Z6VRDQIGBYVOI27YG47/

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:11:sp4:*:*:ltss:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:32:::::::*
	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration 3 (hide)

AND

cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*

cpe:2.3:a:suse:manager_server:4.0:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*

cpe:2.3:a:suse:openstack_cloud_crowbar:9.0:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*

cpe:2.3:a:opensuse:factory:-:*:*:*:*:*:*:*

History

07 Nov 2023, 03:31

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H74BP746O5NNVCBUTLLZYAFBPESFVECV/', 'name': 'FEDORA-2021-dc578ce534', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S37IDQGHTORQ3Z6VRDQIGBYVOI27YG47/', 'name': 'FEDORA-2021-7b698513d5', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWPGZLT3U776Q5YPPSA6LGFWWBDWBVH3/', 'name': 'FEDORA-2021-be95e017e7', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWPGZLT3U776Q5YPPSA6LGFWWBDWBVH3/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H74BP746O5NNVCBUTLLZYAFBPESFVECV/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S37IDQGHTORQ3Z6VRDQIGBYVOI27YG47/ -

27 May 2021, 16:37

Type	Values Removed	Values Added
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWPGZLT3U776Q5YPPSA6LGFWWBDWBVH3/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWPGZLT3U776Q5YPPSA6LGFWWBDWBVH3/ - Mailing List, Third Party Advisory
CPE		cpe:2.3:o:fedoraproject:fedora:32:::::::*

14 May 2021, 20:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWPGZLT3U776Q5YPPSA6LGFWWBDWBVH3/ -

14 May 2021, 18:51

Type	Values Removed	Values Added
References	~~(CONFIRM) https://bugzilla.suse.com/show_bug.cgi?id=1184161 -~~	(CONFIRM) https://bugzilla.suse.com/show_bug.cgi?id=1184161 - Issue Tracking, Vendor Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H74BP746O5NNVCBUTLLZYAFBPESFVECV/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H74BP746O5NNVCBUTLLZYAFBPESFVECV/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S37IDQGHTORQ3Z6VRDQIGBYVOI27YG47/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S37IDQGHTORQ3Z6VRDQIGBYVOI27YG47/ - Mailing List, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 2.1 v3 : 3.3
CPE		cpe:2.3:o:suse:linux_enterprise_server:11:sp4:::ltss:::* cpe:2.3:o:opensuse:leap:15.2:::::::* cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:a:suse:openstack_cloud_crowbar:9.0:::::::* cpe:2.3:a:suse:cups:::::::: cpe:2.3:o:fedoraproject:fedora:33:::::::* cpe:2.3:a:suse:manager_server:4.0:::::::* cpe:2.3:a:opensuse:factory:-:::::::*

10 May 2021, 03:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S37IDQGHTORQ3Z6VRDQIGBYVOI27YG47/ -

06 May 2021, 14:15

Type	Values Removed	Values Added
CWE		CWE-276
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H74BP746O5NNVCBUTLLZYAFBPESFVECV/ -

05 May 2021, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-05-05 10:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-25317

Mitre link : CVE-2021-25317

CVE.ORG link : CVE-2021-25317

JSON object : View

Products Affected

suse

manager_server
openstack_cloud_crowbar
linux_enterprise_server
cups

opensuse

leap
factory

fedoraproject

fedora

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2021-25317", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "meissner@suse.de", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2021-05-05T10:15:08.133", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1184161", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "meissner@suse.de"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWPGZLT3U776Q5YPPSA6LGFWWBDWBVH3/", "source": "meissner@suse.de"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H74BP746O5NNVCBUTLLZYAFBPESFVECV/", "source": "meissner@suse.de"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S37IDQGHTORQ3Z6VRDQIGBYVOI27YG47/", "source": "meissner@suse.de"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "meissner@suse.de", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de Permisos Predeterminados Incorrectos en el paquete de cups de SUSE Linux Enterprise Server versi\u00f3n 11-SP4-LTSS, SUSE Manager Server versi\u00f3n 4.0, SUSE OpenStack Cloud Crowbar versi\u00f3n 9; openSUSE Leap versi\u00f3n 15.2, Factory permite a atacantes locales con control de los usuarios lp crear archivos como root con permisos 0644 sin la capacidad de configurar el contenido. Este problema afecta a: cups de SUSE Linux Enterprise Server 11-SP4-LTSS versiones anteriores a 1.3.9. cups de Versiones de SUSE Manager Server 4.0 versiones anteriores a 2.2.7. cups de SUSE OpenStack Cloud Crowbar 9 versiones anteriores a 1.7.5. cups de openSUSE Leap 15.2 versiones anteriores a 2.2.7. cups de openSUSE Factory versi\u00f3n 2.3.3op2-2.1 y versiones anteriores"}], "lastModified": "2023-11-07T03:31:27.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBA9434A-422D-4A29-BEEE-F22A4F0A009D", "versionEndExcluding": "1.3.9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:11:sp4:*:*:ltss:*:*:*", "vulnerable": false, "matchCriteriaId": "7B84C8D3-0B59-40DC-881D-D016A422E8CC"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90FDBEA0-97A9-49D1-B8EB-30E71C762103", "versionEndExcluding": "2.2.7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suse:manager_server:4.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "51136B38-5715-49B3-BD8D-91F90632247D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE74AE32-F7BA-41B3-92FD-B2F5C24C1089", "versionEndExcluding": "1.7.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suse:openstack_cloud_crowbar:9.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B631400C-0A5A-45A3-9DFA-B419E83D324E"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90FDBEA0-97A9-49D1-B8EB-30E71C762103", "versionEndExcluding": "2.2.7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87BA20B7-2A6B-48A5-80D0-FC5CA3E9A54B", "versionEndIncluding": "2.3.3op2-2.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:factory:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E29492E1-43D8-43BF-94E3-26A762A66FAA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "meissner@suse.de"}