CVE-2022-21950 - OpenCVE

A Improper Access Control vulnerability in the systemd service of cana in openSUSE Backports SLE-15-SP3, openSUSE Backports SLE-15-SP4 allows local users to hijack the UNIX domain socket This issue affects: openSUSE Backports SLE-15-SP3 canna versions prior to canna-3.7p3-bp153.2.3.1. openSUSE Backports SLE-15-SP4 canna versions prior to 3.7p3-bp154.3.3.1. openSUSE Factory was also affected. Instead of fixing the package it was deleted there.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opensuse	Backports Sle Canna Factory
Suse	Linux Enterprise

Configuration 1 [-]

AND

cpe:2.3:a:opensuse:canna:*:*:*:*:*:*:*:*

cpe:2.3:a:opensuse:backports_sle:15.0:sp3:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:opensuse:canna:*:*:*:*:*:*:*:*

cpe:2.3:a:opensuse:backports_sle:15.0:sp4:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:opensuse:canna:3.7p3:*:*:*:*:*:*:*

OR	cpe:2.3:a:opensuse:factory:-:::::::*
	cpe:2.3:o:suse:linux_enterprise:12.0:::::::*

No data.

References

Link	Providers
https://bugzilla.suse.com/show_bug.cgi?id=1199280

History

No history.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2022-09-07T08:40:10.110711Z

Updated: 2024-09-17T02:32:53.607Z

Reserved: 2021-12-16T00:00:00

Link: CVE-2022-21950

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-07T09:15:08.670

Modified: 2023-04-14T18:50:52.760

Link: CVE-2022-21950

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-21950", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "dateUpdated": "2024-09-17T02:32:53.607Z", "dateReserved": "2021-12-16T00:00:00", "datePublished": "2022-09-07T08:40:10.110711Z"}, "containers": {"cna": {"title": "canna: unsafe handling of /tmp/.iroha_unix directory", "datePublic": "2022-08-04T00:00:00", "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2023-01-19T00:00:00"}, "descriptions": [{"lang": "en", "value": "A Improper Access Control vulnerability in the systemd service of cana in openSUSE Backports SLE-15-SP3, openSUSE Backports SLE-15-SP4 allows local users to hijack the UNIX domain socket This issue affects: openSUSE Backports SLE-15-SP3 canna versions prior to canna-3.7p3-bp153.2.3.1. openSUSE Backports SLE-15-SP4 canna versions prior to 3.7p3-bp154.3.3.1. openSUSE Factory was also affected. Instead of fixing the package it was deleted there."}], "affected": [{"vendor": "openSUSE", "product": "openSUSE Backports SLE-15-SP3", "versions": [{"version": "canna", "status": "affected", "lessThan": "canna-3.7p3-bp153.2.3.1", "versionType": "custom"}]}, {"vendor": "openSUSE", "product": "openSUSE Backports SLE-15-SP4", "versions": [{"version": "canna", "status": "affected", "lessThan": "3.7p3-bp154.3.3.1", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1199280"}], "credits": [{"lang": "en", "value": "Matthias Gerstner from SUSE"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-284: Improper Access Control", "cweId": "CWE-284"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1199280", "defect": ["1199280"], "discovery": "INTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:00:54.593Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1199280", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:canna:*:*:*:*:*:*:*:*", "matchCriteriaId": "627905AC-CD77-4169-B771-A681688BAA3A", "versionEndExcluding": "3.7p3-bp153.2.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp3:*:*:*:*:*:*", "matchCriteriaId": "4847454B-DCD3-4F32-833E-6E51A90F06E9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:canna:*:*:*:*:*:*:*:*", "matchCriteriaId": "345554AF-5541-4D24-8FDB-1F0648F492FE", "versionEndExcluding": "3.7p3-bp154.3.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp4:*:*:*:*:*:*", "matchCriteriaId": "842598F5-31B5-42D2-930C-B405314217B1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:canna:3.7p3:*:*:*:*:*:*:*", "matchCriteriaId": "C62B2B23-EA58-4EE8-B7AD-4FD074A64332", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:factory:-:*:*:*:*:*:*:*", "matchCriteriaId": "E29492E1-43D8-43BF-94E3-26A762A66FAA", "vulnerable": false}, {"criteria": "cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "CBC8B78D-1131-4F21-919D-8AC79A410FB9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Improper Access Control vulnerability in the systemd service of cana in openSUSE Backports SLE-15-SP3, openSUSE Backports SLE-15-SP4 allows local users to hijack the UNIX domain socket This issue affects: openSUSE Backports SLE-15-SP3 canna versions prior to canna-3.7p3-bp153.2.3.1. openSUSE Backports SLE-15-SP4 canna versions prior to 3.7p3-bp154.3.3.1. openSUSE Factory was also affected. Instead of fixing the package it was deleted there."}, {"lang": "es", "value": "Una vulnerabilidad de Control de Acceso inapropiado en el servicio systemd de cana en openSUSE Backports SLE-15-SP3, openSUSE Backports SLE-15-SP4 permite a usuarios locales secuestrar el socket de dominio UNIX Este problema afecta a: openSUSE Backports SLE-15-SP3 versiones de canna anteriores a canna-3.7p3-bp153.2.3.1. openSUSE Backports SLE-15-SP4 versiones de canna anteriores a 3.7p3-bp154.3.3.1. openSUSE Factory tambi\u00e9n est\u00e1 afectado. En lugar de arreglar el paquete fue eliminado all\u00ed"}], "id": "CVE-2022-21950", "lastModified": "2023-04-14T18:50:52.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2022-09-07T09:15:08.670", "references": [{"source": "meissner@suse.de", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1199280"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "meissner@suse.de", "type": "Primary"}]}