CVE-2020-8026 - OpenCVE

A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opensuse	Backports Sle Leap Tumbleweed

Configuration 1 [-]

OR	cpe:2.3:a:opensuse:backports_sle:15.0:sp1::::::
	cpe:2.3:a:opensuse:backports_sle:15.0:sp2::::::
	cpe:2.3:a:opensuse:tumbleweed::::::::
	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html
https://bugzilla.suse.com/show_bug.cgi?id=1172573

History

No history.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2020-08-07T09:25:13.939809Z

Updated: 2024-09-16T16:57:41.593Z

Reserved: 2020-01-27T00:00:00

Link: CVE-2020-8026

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-08-07T10:15:11.987

Modified: 2023-01-24T02:58:32.393

Link: CVE-2020-8026

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "openSUSE Leap 15.2", "vendor": "openSUSE", "versions": [{"lessThanOrEqual": "2.6.2-lp152.1.26", "status": "affected", "version": "inn", "versionType": "custom"}]}, {"product": "openSUSE Tumbleweed", "vendor": "openSUSE", "versions": [{"lessThanOrEqual": "2.6.2-4.2", "status": "affected", "version": "inn", "versionType": "custom"}]}, {"product": "openSUSE Leap 15.1", "vendor": "openSUSE", "versions": [{"lessThanOrEqual": "2.5.4-lp151.3.3.1", "status": "affected", "version": "inn", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Matthias Gerstner/Johannes Segitz of SUSE"}], "datePublic": "2020-07-24T00:00:00", "descriptions": [{"lang": "en", "value": "A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-18T17:06:35", "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"}, {"name": "openSUSE-SU-2020:1271", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"}, {"name": "openSUSE-SU-2020:1272", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"}, {"name": "openSUSE-SU-2020:1304", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"}, {"name": "openSUSE-SU-2020:1427", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"}], "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172573", "defect": ["1172573"], "discovery": "INTERNAL"}, "title": "inn: non-root owned files", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@suse.com", "DATE_PUBLIC": "2020-07-24T00:00:00.000Z", "ID": "CVE-2020-8026", "STATE": "PUBLIC", "TITLE": "inn: non-root owned files"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openSUSE Leap 15.2", "version": {"version_data": [{"version_affected": "<=", "version_name": "inn", "version_value": "2.6.2-lp152.1.26"}]}}, {"product_name": "openSUSE Tumbleweed", "version": {"version_data": [{"version_affected": "<=", "version_name": "inn", "version_value": "2.6.2-4.2"}]}}, {"product_name": "openSUSE Leap 15.1", "version": {"version_data": [{"version_affected": "<=", "version_name": "inn", "version_value": "2.5.4-lp151.3.3.1"}]}}]}, "vendor_name": "openSUSE"}]}}, "credit": [{"lang": "eng", "value": "Matthias Gerstner/Johannes Segitz of SUSE"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276: Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1172573", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"}, {"name": "openSUSE-SU-2020:1271", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"}, {"name": "openSUSE-SU-2020:1272", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"}, {"name": "openSUSE-SU-2020:1304", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"}, {"name": "openSUSE-SU-2020:1427", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"}]}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172573", "defect": ["1172573"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:24.996Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"}, {"name": "openSUSE-SU-2020:1271", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"}, {"name": "openSUSE-SU-2020:1272", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"}, {"name": "openSUSE-SU-2020:1304", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"}, {"name": "openSUSE-SU-2020:1427", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"}]}]}, "cveMetadata": {"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "cveId": "CVE-2020-8026", "datePublished": "2020-08-07T09:25:13.939809Z", "dateReserved": "2020-01-27T00:00:00", "dateUpdated": "2024-09-16T16:57:41.593Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "67E82302-4B77-44F3-97B1-24C18AC4A35D", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensuse:tumbleweed:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C65B15-A770-421F-A71E-FD6DB540EE1E", "versionEndIncluding": "2.6.2-4.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de Permisos Predeterminados Incorrectos en el paquete de inn en openSUSE Leap versi\u00f3n 15.2, openSUSE Tumbleweed, openSUSE Leap versi\u00f3n 15.1, permite a atacantes locales con control del nuevo usuario escalar sus privilegios a root. Este problema afecta a: inn versi\u00f3n 2.6.2-lp152.1.26 y versiones anteriores de openSUSE Leap versi\u00f3n 15.2. inn versi\u00f3n 2.6.2-4.2 y versiones anteriores de openSUSE Tumbleweed. inn versi\u00f3n 2.5.4-lp151.3.3.1 y versiones anteriores de openSUSE Leap versi\u00f3n 15.1"}], "id": "CVE-2020-8026", "lastModified": "2023-01-24T02:58:32.393", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2020-08-07T10:15:11.987", "references": [{"source": "meissner@suse.de", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"}, {"source": "meissner@suse.de", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"}, {"source": "meissner@suse.de", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"}, {"source": "meissner@suse.de", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"}, {"source": "meissner@suse.de", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "meissner@suse.de", "type": "Primary"}]}