ID CVE-2019-25016
Summary In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.
References
Vulnerable Configurations
  • cpe:2.3:a:opendoas_project:opendoas:6.6:*:*:*:*:*:*:*
    cpe:2.3:a:opendoas_project:opendoas:6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:opendoas_project:opendoas:6.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:opendoas_project:opendoas:6.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:opendoas_project:opendoas:6.8:*:*:*:*:*:*:*
    cpe:2.3:a:opendoas_project:opendoas:6.8:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 26-04-2022 - 16:14)
Impact:
Exploitability:
CWE CWE-909
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
Last major update 26-04-2022 - 16:14
Published 28-01-2021 - 20:15
Last modified 26-04-2022 - 16:14
Back to Top