Total
1140 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13095 | 1 Obdev | 1 Little Snitch | 2023-11-07 | 9.0 HIGH | 8.8 HIGH |
| Little Snitch version 4.5.1 and older changed ownership of a directory path controlled by the user. This allowed the user to escalate to root by linking the path to a directory containing code executed by root. | |||||
| CVE-2020-10174 | 3 Canonical, Fedoraproject, Timeshift Project | 3 Ubuntu Linux, Fedora, Timeshift | 2023-11-07 | 6.9 MEDIUM | 7.0 HIGH |
| init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used. | |||||
| CVE-2019-8454 | 2 Checkpoint, Microsoft | 2 Endpoint Security, Windows | 2023-11-07 | 6.9 MEDIUM | 7.0 HIGH |
| A local attacker can create a hard-link between a file to which the Check Point Endpoint Security client for Windows before E80.96 writes and another BAT file, then by impersonating the WPAD server, the attacker can write BAT commands into that file that will later be run by the user or the system. | |||||
| CVE-2019-18837 | 2 Crun Project, Fedoraproject | 2 Crun, Fedora | 2023-11-07 | 5.0 MEDIUM | 8.6 HIGH |
| An issue was discovered in crun before 0.10.5. With a crafted image, it doesn't correctly check whether a target is a symlink, resulting in access to files outside of the container. This occurs in libcrun/linux.c and libcrun/chroot_realpath.c. | |||||
| CVE-2019-16775 | 5 Fedoraproject, Npmjs, Opensuse and 2 more | 6 Fedora, Npm, Leap and 3 more | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. | |||||
| CVE-2019-13636 | 1 Gnu | 1 Patch | 2023-11-07 | 5.8 MEDIUM | 5.9 MEDIUM |
| In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. | |||||
| CVE-2019-13229 | 1 Deepin | 1 Deepin Clone | 2023-11-07 | 6.6 MEDIUM | 5.5 MEDIUM |
| deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. | |||||
| CVE-2019-13228 | 1 Deepin | 1 Deepin-clone | 2023-11-07 | 6.6 MEDIUM | 4.7 MEDIUM |
| deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. By winning a race condition to replace the /tmp/repo.iso symlink by an attacker controlled ISO file, further privilege escalation may be possible. | |||||
| CVE-2019-13227 | 1 Deepin | 1 Deepin-clone | 2023-11-07 | 6.6 MEDIUM | 5.5 MEDIUM |
| In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. | |||||
| CVE-2019-13226 | 2 Deepin, Fedoraproject | 2 Deepin-clone, Fedora | 2023-11-07 | 6.9 MEDIUM | 7.0 HIGH |
| deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. An unprivileged user can prepare a symlink at this location to have the file system mounted in an arbitrary location. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system. | |||||
| CVE-2019-12749 | 2 Canonical, Freedesktop | 2 Ubuntu Linux, Dbus | 2023-11-07 | 3.6 LOW | 7.1 HIGH |
| dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. | |||||
| CVE-2019-12209 | 1 Yubico | 1 Pam-u2f | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information. | |||||
| CVE-2019-11503 | 1 Canonical | 1 Snapd | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass." | |||||
| CVE-2019-10773 | 1 Yarnpkg | 1 Yarn | 2023-11-07 | 6.8 MEDIUM | 7.8 HIGH |
| In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set. | |||||
| CVE-2019-1002101 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift Container Platform | 2023-11-07 | 5.8 MEDIUM | 5.5 MEDIUM |
| The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0. | |||||
| CVE-2018-6954 | 3 Canonical, Opensuse, Systemd Project | 3 Ubuntu Linux, Leap, Systemd | 2023-11-07 | 7.2 HIGH | 7.8 HIGH |
| systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on. | |||||
| CVE-2018-1063 | 2 Redhat, Selinux Project | 2 Enterprise Linux, Selinux | 2023-11-07 | 3.3 LOW | 4.4 MEDIUM |
| Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11. | |||||
| CVE-2018-19638 | 1 Opensuse | 1 Supportutils | 2023-11-07 | 3.3 LOW | 4.7 MEDIUM |
| In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files. | |||||
| CVE-2018-19637 | 1 Opensuse | 1 Supportutils | 2023-11-07 | 3.6 LOW | 5.5 MEDIUM |
| Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection | |||||
| CVE-2018-17955 | 1 Opensuse | 1 Yast2-multipath | 2023-11-07 | 3.6 LOW | 5.5 MEDIUM |
| In yast2-multipath before version 4.1.1 a static temporary filename allows local attackers to overwrite files on systems without symlink protection | |||||