CVE-2020-8024 - OpenCVE

A Incorrect Default Permissions vulnerability in the packaging of hylafax+ of openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory allows local attackers to escalate from user uucp to users calling hylafax binaries. This issue affects: openSUSE Leap 15.2 hylafax+ versions prior to 7.0.2-lp152.2.1. openSUSE Leap 15.1 hylafax+ version 5.6.1-lp151.3.7 and prior versions. openSUSE Factory hylafax+ versions prior to 7.0.2-2.1.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opensuse	Hylafax\+ Leap

Configuration 1 [-]

AND

cpe:2.3:a:opensuse:hylafax\+:*:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:opensuse:hylafax\+:*:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:opensuse:hylafax\+:*:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00022.html
https://bugzilla.suse.com/show_bug.cgi?id=1172731

History

Tue, 17 Sep 2024 01:30:00 +0000

Type	Values Removed	Values Added
Title	Problematic permissions in hylafax+ packaging allow escalation from uucp to other users	Problematic permissions in hylafax+ packaging allow escalation from uucp to other users

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2020-06-29T07:45:17.539675Z

Updated: 2024-09-17T01:21:22.130Z

Reserved: 2020-01-27T00:00:00

Link: CVE-2020-8024

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-06-29T08:15:10.050

Modified: 2020-07-22T14:54:59.187

Link: CVE-2020-8024

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "openSUSE Leap 15.2", "vendor": "openSUSE", "versions": [{"lessThan": "7.0.2-lp152.2.1", "status": "affected", "version": "hylafax+", "versionType": "custom"}]}, {"product": "openSUSE Leap 15.1", "vendor": "openSUSE", "versions": [{"lessThanOrEqual": "5.6.1-lp151.3.7", "status": "affected", "version": "hylafax+", "versionType": "custom"}]}, {"product": "openSUSE Factory", "vendor": "openSUSE", "versions": [{"lessThan": "7.0.2-2.1", "status": "affected", "version": "hylafax+", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Matthias Gerstner"}], "datePublic": "2020-06-15T00:00:00", "descriptions": [{"lang": "en", "value": "A Incorrect Default Permissions vulnerability in the packaging of hylafax+ of openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory allows local attackers to escalate from user uucp to users calling hylafax binaries. This issue affects: openSUSE Leap 15.2 hylafax+ versions prior to 7.0.2-lp152.2.1. openSUSE Leap 15.1 hylafax+ version 5.6.1-lp151.3.7 and prior versions. openSUSE Factory hylafax+ versions prior to 7.0.2-2.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-14T11:06:15", "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172731"}, {"name": "openSUSE-SU-2020:0958", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00022.html"}], "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172731", "defect": ["1172731"], "discovery": "INTERNAL"}, "title": "Problematic permissions in hylafax+ packaging allow escalation from uucp to other users", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@suse.com", "DATE_PUBLIC": "2020-06-15T00:00:00.000Z", "ID": "CVE-2020-8024", "STATE": "PUBLIC", "TITLE": "Problematic permissions in hylafax+ packaging allow escalation from uucp to other users"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openSUSE Leap 15.2", "version": {"version_data": [{"version_affected": "<", "version_name": "hylafax+", "version_value": "7.0.2-lp152.2.1"}]}}, {"product_name": "openSUSE Leap 15.1", "version": {"version_data": [{"version_affected": "<=", "version_name": "hylafax+", "version_value": "5.6.1-lp151.3.7"}]}}, {"product_name": "openSUSE Factory", "version": {"version_data": [{"version_affected": "<", "version_name": "hylafax+", "version_value": "7.0.2-2.1"}]}}]}, "vendor_name": "openSUSE"}]}}, "credit": [{"lang": "eng", "value": "Matthias Gerstner"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Incorrect Default Permissions vulnerability in the packaging of hylafax+ of openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory allows local attackers to escalate from user uucp to users calling hylafax binaries. This issue affects: openSUSE Leap 15.2 hylafax+ versions prior to 7.0.2-lp152.2.1. openSUSE Leap 15.1 hylafax+ version 5.6.1-lp151.3.7 and prior versions. openSUSE Factory hylafax+ versions prior to 7.0.2-2.1."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276: Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1172731", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172731"}, {"name": "openSUSE-SU-2020:0958", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00022.html"}]}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172731", "defect": ["1172731"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:25.596Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172731"}, {"name": "openSUSE-SU-2020:0958", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00022.html"}]}]}, "cveMetadata": {"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "cveId": "CVE-2020-8024", "datePublished": "2020-06-29T07:45:17.539675Z", "dateReserved": "2020-01-27T00:00:00", "dateUpdated": "2024-09-17T01:21:22.130Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:hylafax\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "D30BA4B2-F8ED-4184-8025-2E0300C8BB37", "versionEndExcluding": "7.0.2-lp152.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:hylafax\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "61CFA994-5316-4758-BFBA-01128F80C71D", "versionEndExcluding": "5.6.1-lp151.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:hylafax\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "B607D26D-F85C-49EE-8785-3C3A11E62836", "versionEndExcluding": "7.0.2-2.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Incorrect Default Permissions vulnerability in the packaging of hylafax+ of openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory allows local attackers to escalate from user uucp to users calling hylafax binaries. This issue affects: openSUSE Leap 15.2 hylafax+ versions prior to 7.0.2-lp152.2.1. openSUSE Leap 15.1 hylafax+ version 5.6.1-lp151.3.7 and prior versions. openSUSE Factory hylafax+ versions prior to 7.0.2-2.1."}, {"lang": "es", "value": "Una vulnerabilidad de Permisos Predeterminados Incorrectos en el paquete de hylafax+ de openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory, permite a atacantes locales escalar desde un usuario uucp a usuarios que llaman binarios de hylafax. Este problema afecta: hylafax+ de openSUSE Leap versiones 15.2 anteriores a 7.0.2-lp152.2.1. hylafax+ de openSUSE Leap 15.1 versiones 5.6.1-lp151.3.7 y anteriores. hylafax+ de openSUSE Factory versiones anteriores a 7.0.2-2.1"}], "id": "CVE-2020-8024", "lastModified": "2020-07-22T14:54:59.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2020-06-29T08:15:10.050", "references": [{"source": "meissner@suse.de", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00022.html"}, {"source": "meissner@suse.de", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172731"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "meissner@suse.de", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Secondary"}]}