CVE-2020-8831Creation of Temporary File in Directory with Insecure Permissions in Apport

CWE-379Creation of Temporary File in Directory with Insecure PermissionsCWE-59Link Following8 documents5 sources
Severity
5.5MEDIUMNVD
CNA6.5
EPSS
0.1%
top 69.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Canonical ApportApport Project ApportCanonical Ubuntu Linux
Timeline
PublishedApr 22
Latest updateMay 24

Description

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5canonical/apport2.20.12.20.1-0ubuntu2.23+2
Ubuntuapport_project/apport< 2.20.1-0ubuntu2.23+3

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 19.10

🔴Vulnerability Details

5
GHSA
GHSA-33w2-prhc-2q89: Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory2022-05-24
OSV
apport vulnerabilities2020-06-15
CVEList
World writable root owned lock file created in user controllable location2020-04-22
OSV
CVE-2020-8831: Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory2020-04-02
OSV
apport vulnerabilities2020-04-02

📋Vendor Advisories

2
Ubuntu
Apport vulnerabilities2020-06-15
Ubuntu
Apport vulnerabilities2020-04-02
CVE-2020-8831 — Canonical Apport vulnerability | cvebase