CVE-2019-3691Link Following in Factory

CWE-59Link Following3 documents3 sources
Severity
7.8HIGHNVD
CNA7.7
EPSS
0.1%
top 64.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Opensuse FactorySuse Linux Enterprise Server 15Opensuse Munge
Timeline
PublishedJan 23
Latest updateMay 24

Description

A Symbolic Link (Symlink) Following vulnerability in the packaging of munge in SUSE Linux Enterprise Server 15; openSUSE Factory allowed local attackers to escalate privileges from user munge to root. This issue affects: SUSE Linux Enterprise Server 15 munge versions prior to 0.5.13-4.3.1. openSUSE Factory munge versions prior to 0.5.13-6.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

NVDopensuse/munge< 0.5.13-4.3.1+1
CVEListV5suse/suse_linux_enterprise_server_15munge0.5.13-4.3.1
CVEListV5opensuse/factorymunge0.5.13-6.1

🔴Vulnerability Details

2
GHSA
GHSA-q63p-x3h7-v3p5: A Symbolic Link (Symlink) Following vulnerability in the packaging of munge in SUSE SUSE Linux Enterprise Server 15; openSUSE Factory allowed local at2022-05-24
CVEList
Local privilege escalation from user munge to root2020-01-23
CVE-2019-3691 — Link Following in Opensuse Factory | cvebase