6.7
CVE-2021-35938
- EPSS 0.49%
- Veröffentlicht 25.08.2022 20:15:09
- Zuletzt bearbeitet 21.11.2024 06:12:47
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fedoraproject ≫ Fedora Version34
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version9.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.382 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.7 | 0.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-59 Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
https://security.gentoo.org/glsa/202210-22
https://rpm.org/wiki/Releases/4.18.0
https://access.redhat.com/security/cve/CVE-2021-35938
https://bugzilla.redhat.com/show_bug.cgi?id=1964114
https://bugzilla.suse.com/show_bug.cgi?id=1157880
https://github.com/rpm-software-management/rpm/commit/25a435e90844ea98fe5eb7bef22c1aecf3a9c033
https://github.com/rpm-software-management/rpm/pull/1919