CVE-2021-23239

Exploit

EPSS 0.04%
Published 12.01.2021 09:15:14
Last modified 21.11.2024 05:51:25
Source cve@mitre.org
Teams watchlist Login
Open Login

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Sudo Project ≫ Sudo Version < 1.8.32

Sudo Project ≫ Sudo Version >= 1.9.0 < 1.9.5

Netapp ≫ Cloud Backup Version-

Netapp ≫ Hci Management Node Version-

Netapp ≫ Solidfire Version-

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.09

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	2.5	1	1.4	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	1.9	3.4	2.9	AV:L/AC:M/Au:N/C:P/I:N/A:N

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2021-23239

Third Party Advisory

Exploit

Issue Tracking

https://lists.debian.org/debian-lts-announce/2022/11/msg00007.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EE42Y35SMJOLONAIBNYNFC7J44UUZ2Y6/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMY4VSSBIND7VAYSN6T7XIWJRWG4GBB3/

https://security.gentoo.org/glsa/202101-33

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210129-0010/