CVE-2019-7307Time-of-check Time-of-use (TOCTOU) Race Condition in Apport

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition6 documents5 sources
Severity
7.0HIGHNVD
EPSS
0.0%
top 95.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apport Project ApportUbuntu Apport
Timeline
PublishedAug 29
Latest updateMay 24

Description

Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml file, which allows a local attacker to replace this file with a symlink to any other file on the system and so cause Apport to include the contents of this other file in the resulting crash report. The crash report could then be read by that user either by causing it to be uploaded and reported t

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages3 packages

Ubuntuapport_project/apport< 2.20.1-0ubuntu2.19+2
CVEListV5ubuntu/apport5 versions+4
NVDapport_project/apport4 versions+3

🔴Vulnerability Details

3
GHSA
GHSA-75vh-qgvc-r573: Apport before versions 22022-05-24
CVEList
Apport contains a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml2019-08-29
OSV
CVE-2019-7307: Apport before versions 22019-07-09

📋Vendor Advisories

2
Ubuntu
Apport vulnerability2019-07-09
Ubuntu
Apport vulnerability2019-07-09
CVE-2019-7307 — Ubuntu Apport vulnerability | cvebase