Vulnerability Details : CVE-2021-20001
It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.
Vulnerability category: Gain privilege
Products affected by CVE-2021-20001
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:skolelinux:debian-edu-config:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-20001
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-20001
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-20001
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-20001
-
https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5
etc/apache2/mods-available/debian-edu-userdir.conf: Disable built-in PHP engine. (4d39a588) · Commits · Debian Edu / debian-edu-config · GitLabPatch;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5072
Debian -- Security Information -- DSA-5072-1 debian-edu-configThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html
[SECURITY] [DLA 2918-1] debian-edu-config security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-security-announce/2022/msg00039.html
[SECURITY] [DSA 5072-1] debian-edu-config security updateMailing List;Third Party Advisory
Jump to