Vulnerability Details : CVE-2020-26932
debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group)
Products affected by CVE-2020-26932
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:sympa:sympa:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26932
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26932
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2020-26932
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-26932
-
https://www.debian.org/security/2020/dsa-4818
Debian -- Security Information -- DSA-4818-1 sympaVendor Advisory
-
https://bugs.debian.org/971904
#971904 - sympa: restrict access to sympa_newaliases-wrapper (setuid root) to group sympa (CVE-2020-26932) - Debian Bug report logsVendor Advisory
-
https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1
Restrict access to sympa_newaliases-wrapper (setuid root) to group sympa (!1) · Merge Requests · Debian Sympa Team / sympa · GitLabMailing List;Vendor Advisory
Jump to