CVE-2021-20001 — Incorrect Default Permissions in Debian-edu-config

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.8%

top 26.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Debian-edu-config Skolelinux Debian-edu-config Debian Linux

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5debian/debian-edu-config< 2.12.16

▶debiandebian/debian-edu-config< debian-edu-config 2.12.16 (bookworm)

▶NVDskolelinux/debian-edu-config< 2.12.16

▶Debianskolelinux/debian-edu-config< 2.11.56+deb11u3+3

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: salsa.debian.org ↗Patch: salsa.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-jxq6-5qhp-mg2v: It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2↗2022-02-12

▶

OSV

CVE-2021-20001: It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2↗2022-02-11

▶

📋Vendor Advisories

Debian

CVE-2021-20001: debian-edu-config - It was discovered, that debian-edu-config, a set of configuration files used for...↗2021

▶