CVE-2020-26932Incorrect Permission Assignment in Sympa

CWE-732Incorrect Permission Assignment4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 64.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
SympaDebian SympaDebian Linux
Timeline
PublishedOct 10
Latest updateMay 24

Description

debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

debiandebian/sympa< sympa 6.2.40~dfsg-7 (bookworm)
NVDsympa/sympa< 6.2.40
Debiansympa/sympa< 6.2.40~dfsg-7+3

Also affects: Debian Linux 10.0

🔴Vulnerability Details

2
GHSA
GHSA-rpg9-m4gw-3xwf: debian/sympa2022-05-24
OSV
CVE-2020-26932: debian/sympa2020-10-10

📋Vendor Advisories

1
Debian
CVE-2020-26932: sympa - debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mod...2020
CVE-2020-26932 — Incorrect Permission Assignment | cvebase