8.8

CVE-2019-25016

Exploit

EPSS 1.02%
Veröffentlicht 28.01.2021 20:15:12
Zuletzt bearbeitet 21.11.2024 04:39:44
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opendoas Project ≫ Opendoas Version >= 6.6 <= 6.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.02%	0.767

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-459 Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

CWE-909 Missing Initialization of Resource

The product does not initialize a critical resource.

https://github.com/Duncaen/OpenDoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168

Patch

Third Party Advisory

https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d

Patch

Third Party Advisory

https://github.com/Duncaen/OpenDoas/issues/45

Third Party Advisory

Exploit

Issue Tracking

https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1

Third Party Advisory

Release Notes

https://security.gentoo.org/glsa/202107-11

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-25016

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-25016

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-25016

EUVD