CVE-2019-3699 — Link Following in Privoxy

CWE-59 — Link Following5 documents5 sources

Severity

7.8HIGHNVD

CNA7.7

EPSS

0.1%

top 69.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Privoxy Opensuse Factory Opensuse Leap 15.1

Timeline

PublishedJan 24

Latest updateMay 24

Description

UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of privoxy on openSUSE Leap 15.1, Factory allows local attackers to escalate from user privoxy to root. This issue affects: openSUSE Leap 15.1 privoxy version 3.0.28-lp151.1.1 and prior versions. openSUSE Factory privoxy version 3.0.28-2.1 and prior versions.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5opensuse/factoryprivoxy — 3.0.28-2.1

▶CVEListV5opensuse/leap_15.1privoxy — 3.0.28-lp151.1.1

▶NVDprivoxy/privoxy< 3.0.28-lp151.1.1+1

🔴Vulnerability Details

GHSA

GHSA-j9ww-72pm-37h3: UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of privoxy on openSUSE Leap 15↗2022-05-24

▶

CVEList

Local privilege escalation from user privoxy to root↗2020-01-24

▶

📋Vendor Advisories

Red Hat

privoxy: local privilege escalation from privoxy to root↗2020-01-24

▶

💬Community

Bugzilla

CVE-2019-3699 privoxy: local privilege escalation from privoxy to root↗2020-02-14

▶