Vulnerability Details : CVE-2020-36770
pkg_postinst in the Gentoo ebuild for Slurm through 22.05.3 unnecessarily calls chown to assign root's ownership on files in the live root filesystem. This could be exploited by the slurm user to become the owner of root-owned files.
Products affected by CVE-2020-36770
- cpe:2.3:a:gentoo:ebuild_for_slurm:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-36770
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-36770
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2024-01-22 |
References for CVE-2020-36770
-
https://bugs.gentoo.org/631552
631552 – sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinstExploit;Issue Tracking;Patch
Jump to