CVE-2021-20001 - OpenCVE

It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Skolelinux	Debian-edu-config

Configuration 1 [-]

cpe:2.3:a:skolelinux:debian-edu-config:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html
https://lists.debian.org/debian-security-announce/2022/msg00039.html
https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5
https://www.debian.org/security/2022/dsa-5072

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2022-02-11T19:50:09.720584Z

Updated: 2024-09-16T23:41:36.975Z

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20001

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-11T20:15:07.387

Modified: 2022-02-22T20:10:48.863

Link: CVE-2021-20001

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "debian-edu-config", "vendor": "Debian", "versions": [{"status": "affected", "version": "< 2.12.16"}]}], "datePublic": "2022-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation."}], "problemTypes": [{"descriptions": [{"description": "insecure permissions", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-14T14:06:28", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5"}, {"name": "[debian-lts-announce] 20220211 [SECURITY] [DLA 2918-1] debian-edu-config security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html"}, {"name": "[debian-security-announce] 20220211 [SECURITY] [DSA 5072-1] debian-edu-config security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-security-announce/2022/msg00039.html"}, {"name": "DSA-5072", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5072"}], "source": {"advisory": "DSA-5072-1", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "DATE_PUBLIC": "2022-02-11T00:00:00.000Z", "ID": "CVE-2021-20001", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "debian-edu-config", "version": {"version_data": [{"version_value": "< 2.12.16"}]}}]}, "vendor_name": "Debian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "insecure permissions"}]}]}, "references": {"reference_data": [{"name": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5", "refsource": "MISC", "url": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5"}, {"name": "[debian-lts-announce] 20220211 [SECURITY] [DLA 2918-1] debian-edu-config security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html"}, {"name": "[debian-security-announce] 20220211 [SECURITY] [DSA 5072-1] debian-edu-config security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-security-announce/2022/msg00039.html"}, {"name": "DSA-5072", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5072"}]}, "source": {"advisory": "DSA-5072-1", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:30:07.342Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5"}, {"name": "[debian-lts-announce] 20220211 [SECURITY] [DLA 2918-1] debian-edu-config security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html"}, {"name": "[debian-security-announce] 20220211 [SECURITY] [DSA 5072-1] debian-edu-config security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-security-announce/2022/msg00039.html"}, {"name": "DSA-5072", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5072"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2021-20001", "datePublished": "2022-02-11T19:50:09.720584Z", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-09-16T23:41:36.975Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:skolelinux:debian-edu-config:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AB4D9B7-395A-48E1-8553-EB1B80255926", "versionEndExcluding": "2.12.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation."}, {"lang": "es", "value": "Se ha detectado que debian-edu-config, un conjunto de archivos de configuraci\u00f3n usados para la mezcla de Debian Edu, versiones anteriores a 2.12.16, configuraba permisos no seguros para los recursos compartidos de la web del usuario (~/public_html), lo que podr\u00eda resultar en una escalada de privilegios"}], "id": "CVE-2021-20001", "lastModified": "2022-02-22T20:10:48.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-11T20:15:07.387", "references": [{"source": "security@debian.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html"}, {"source": "security@debian.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-security-announce/2022/msg00039.html"}, {"source": "security@debian.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5"}, {"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5072"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}