CVE-2020-36657 : uptimed before 0.4.6-r1 on Gentoo allows local users (with access to the uptimed

uptimed before 0.4.6-r1 on Gentoo allows local users (with access to the uptimed user account) to gain root privileges by creating a hard link within the /var/spool/uptimed directory, because there is an unsafe chown -R call.

Published 2023-01-26 21:15:22

Updated 2023-05-03 12:15:15

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2020-36657

Uptimed Project » Uptimed » For Gentoo
Versions before (<) 0.4.6
cpe:2.3:a:uptimed_project:uptimed:*:*:*:*:*:gentoo:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-36657

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 7 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-36657

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2020-36657

https://bugs.gentoo.org/630810

630810 – (CVE-2020-36657) <app-misc/uptimed-0.4.6-r1: root privilege escalation via "chown -R" in pkg_postinst
Exploit;Patch;Third Party Advisory
https://security.gentoo.org/glsa/202305-14

uptimed: Root Privilege Escalation (GLSA 202305-14) — Gentoo security

Jump to

Vulnerability Details : CVE-2020-36657

Products affected by CVE-2020-36657

Exploit prediction scoring system (EPSS) score for CVE-2020-36657

CVSS scores for CVE-2020-36657

References for CVE-2020-36657