{"containers": {"cna": {"affected": [{"product": "SUSE Linux Enterprise Server 15 SP1", "vendor": "SUSE", "versions": [{"lessThan": "0.3.14-6.3.1", "status": "affected", "version": "trousers", "versionType": "custom"}]}, {"product": "Factory", "vendor": "openSUSE", "versions": [{"lessThan": "0.3.14-7.1", "status": "affected", "version": "trousers", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Johannes Segitz from SUSE"}], "datePublic": "2019-11-26T00:00:00", "descriptions": [{"lang": "en", "value": "UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14-6.3.1. openSUSE Factory trousers versions prior to 0.3.14-7.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-20T15:45:08", "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse"}, "references": [{"name": "openSUSE-SU-2020:0744", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00066.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1157651"}], "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1157651", "defect": ["1157651"], "discovery": "INTERNAL"}, "title": "trousers: Local privilege escalation from tss to root", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@suse.com", "DATE_PUBLIC": "2019-11-26T00:00:00.000Z", "ID": "CVE-2019-18898", "STATE": "PUBLIC", "TITLE": "trousers: Local privilege escalation from tss to root"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SUSE Linux Enterprise Server 15 SP1", "version": {"version_data": [{"version_affected": "<", "version_name": "trousers", "version_value": "0.3.14-6.3.1"}]}}]}, "vendor_name": "SUSE"}, {"product": {"product_data": [{"product_name": "Factory", "version": {"version_data": [{"version_affected": "<", "version_name": "trousers", "version_value": "0.3.14-7.1"}]}}]}, "vendor_name": "openSUSE"}]}}, "credit": [{"lang": "eng", "value": "Johannes Segitz from SUSE"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14-6.3.1. openSUSE Factory trousers versions prior to 0.3.14-7.1."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2020:0744", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00066.html"}, {"name": "https://bugzilla.suse.com/show_bug.cgi?id=1157651", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1157651"}]}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1157651", "defect": ["1157651"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:02:39.883Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2020:0744", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00066.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1157651"}]}]}, "cveMetadata": {"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "cveId": "CVE-2019-18898", "datePublished": "2020-01-23T14:05:14.446560Z", "dateReserved": "2019-11-12T00:00:00", "dateUpdated": "2024-09-16T18:24:53.684Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:trousers:*:*:*:*:*:*:*:*", "matchCriteriaId": "30F83609-2CE3-4073-819D-8D5F548C0324", "versionEndExcluding": "0.3.14-6.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:15:sp1:*:*:*:*:*:*", "matchCriteriaId": "7642C831-6063-4405-A352-431CE374458A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:trousers:*:*:*:*:*:*:*:*", "matchCriteriaId": "A115FCF0-E6FF-4B0C-BA91-1798C335ED0D", "versionEndExcluding": "0.3.14-7.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:opensuse_factory:-:*:*:*:*:*:*:*", "matchCriteriaId": "64D9A5D6-4B12-4B25-ACD2-560C864B6FE1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14-6.3.1. openSUSE Factory trousers versions prior to 0.3.14-7.1."}, {"lang": "es", "value": "Enlace simb\u00f3lico de UNIX (Symlink) Siguiendo la vulnerabilidad en el paquete trousers de SUSE Linux Enterprise Server 15 SP1; Los atacantes locales permitidos por openSUSE Factory escalan los privilegios del usuario tss al root. Este problema afecta a: SUSE Linux Enterprise Server 15 SP1 versiones de trousers anteriores a la versi\u00f3n 0.3.14-6.3.1. Versiones de trousers openSUSE Factory anteriores a la versi\u00f3n 0.3.14-7.1."}], "id": "CVE-2019-18898", "lastModified": "2022-11-10T04:43:07.230", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.2, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2020-01-23T14:15:12.327", "references": [{"source": "meissner@suse.de", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00066.html"}, {"source": "meissner@suse.de", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1157651"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "meissner@suse.de", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "trousers: local privilege escalation from tss to root", "id": "1787080", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1787080"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-266", "details": ["UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14-6.3.1. openSUSE Factory trousers versions prior to 0.3.14-7.1."], "name": "CVE-2019-18898", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "trousers", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "trousers", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "trousers", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "trousers", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2019-11-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-18898\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-18898"], "statement": "The trousers versions as shipped as Red Hat Enterprise Linux 5, 6, 7 and 8 are not affected by this issue. The flaw resides on the post transaction scriptlet from the RPM package. This scriptlet doesn't exists on Red Hat Enterprise Linux RPM spec file.", "threat_severity": "Low"}