5.5

CVE-2020-15704

The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504.

Data is provided by the National Vulnerability Database (NVD)
CanonicalPpp Version < 2.4.7-1\+ubuntu1.16.04.3
   CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalPpp Version < 2.4.7-2\+2ubuntu1.3
   CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalPpp Version < 2.4.7-2\+4.1ubuntu5.1
   CanonicalUbuntu Linux Version20.04 SwEditionlts
CanonicalPpp Version < 2.4.5-5ubuntu1.4
   CanonicalUbuntu Linux Version12.04 SwEditionesm
CanonicalPpp Version < 2.4.5-5.1ubuntu2.3\+esm2
   CanonicalUbuntu Linux Version14.04 SwEditionesm
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.05% 0.162
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 2.1 3.9 2.9
AV:L/AC:L/Au:N/C:P/I:N/A:N
security@ubuntu.com 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.