Vulnerability Details : CVE-2020-8793
OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.
Vulnerability category: File inclusion
Products affected by CVE-2020-8793
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:opensmtpd:opensmtpd:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-8793
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-8793
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.7
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:N/A:N |
3.4
|
6.9
|
NIST | |
4.7
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.0
|
3.6
|
NIST |
CWE ids for CVE-2020-8793
-
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Assigned by: nvd@nist.gov (Primary)
-
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-8793
-
https://usn.ubuntu.com/4294-1/
USN-4294-1: OpenSMTPD vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
http://seclists.org/fulldisclosure/2020/Feb/28
Full Disclosure: Local information disclosure in OpenSMTPD (CVE-2020-8793)Mailing List;Third Party Advisory
-
https://www.openbsd.org/security.html
OpenBSD: SecurityThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/02/24/4
oss-security - Local information disclosure in OpenSMTPD (CVE-2020-8793)Exploit;Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/
[SECURITY] Fedora 32 Update: opensmtpd-6.6.4p1-2.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to