Vulnerability-Lookup - Search a vulnerability

All the vulnerabilites related to openSUSE - openSUSE Leap Micro 5.2

cve-2022-31252

Vulnerability from cvelistv5

Published

2022-10-06 17:14

Modified

2024-09-16 18:40

Severity ?

4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Summary

A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225.

References

▼	URL	Tags
	https://bugzilla.suse.com/show_bug.cgi?id=1203018

Impacted products

Vendor

Product

Version

▼

SUSE

SUSE Linux Enterprise Server 12-SP5

Version: permissions < 20170707

openSUSE	openSUSE Leap 15.3	Version: permissions < 20200127
openSUSE	openSUSE Leap 15.4	Version: permissions < 20201225
openSUSE	openSUSE Leap Micro 5.2	Version: permissions < 20181225

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.924Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1203018"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SUSE Linux Enterprise Server 12-SP5",
          "vendor": "SUSE",
          "versions": [
            {
              "lessThan": "20170707",
              "status": "affected",
              "version": "permissions",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "openSUSE Leap 15.3",
          "vendor": "openSUSE",
          "versions": [
            {
              "lessThan": "20200127",
              "status": "affected",
              "version": "permissions",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "openSUSE Leap 15.4",
          "vendor": "openSUSE",
          "versions": [
            {
              "lessThan": "20201225",
              "status": "affected",
              "version": "permissions",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "openSUSE Leap Micro 5.2",
          "vendor": "openSUSE",
          "versions": [
            {
              "lessThan": "20181225",
              "status": "affected",
              "version": "permissions",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Martin Wilck from SUSE"
        }
      ],
      "datePublic": "2022-09-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-11T00:00:00",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1203018"
        }
      ],
      "source": {
        "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1203018",
        "defect": [
          "1203018"
        ],
        "discovery": "INTERNAL"
      },
      "title": "permissions: chkstat does not check for group-writable parent directories or target files in safeOpen()",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2022-31252",
    "datePublished": "2022-10-06T17:14:05.294457Z",
    "dateReserved": "2022-05-20T00:00:00",
    "dateUpdated": "2024-09-16T18:40:06.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}