CVE-2020-14004
published 2020-06-12CVE-2020-14004: An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icinga2 | < icinga2 2.11.5-1 (bookworm) | icinga2 2.11.5-1 (bookworm) |
| icinga | icinga | — | — |
| icinga | icinga | 2.0.0 – 2.11.3 | — |
| icinga | icinga2 | >= 0 < 2.11.5-1 | 2.11.5-1 |
| icinga | icinga2 | >= 0 < 2.11.5-1 | 2.11.5-1 |
| icinga | icinga2 | >= 0 < 2.11.5-1 | 2.11.5-1 |
| icinga | icinga2 | >= 0 < 2.11.5-1 | 2.11.5-1 |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH