CVE-2020-10737

EPSS 0.11%
Published 27.05.2020 01:15:09
Last modified 21.11.2024 04:55:58
Source secalert@redhat.com
Teams watchlist Login
Open Login

A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Oddjob Version < 0.34.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.269

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.3	0.3	5.9	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	3.7	1.9	6.4	AV:L/AC:H/Au:N/C:P/I:P/A:P
secalert@redhat.com	6.3	0.3	5.9	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10737

Vendor Advisory

Issue Tracking

https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac?branch

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-10737

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-10737

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-10737

EUVD