CVE-2021-25322

CWE-61 CWE-595 documents5 sources

Severity

7.8HIGH

EPSS

0.0%

top 89.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Factory Python-hyperkitty Project Python-hyperkitty Opensuse Leap 15.2

Timeline

PublishedJun 10

Latest updateMay 24

Description

A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 2.5 | Impact: 4.2

Affected Packages3 packages

▶NVDpython-hyperkitty_project/python-hyperkitty< 1.3.4-5.1+1

▶CVEListV5opensuse/factorypython-HyperKitty — 1.3.4-5.1

▶CVEListV5opensuse/leap_15.2python-HyperKitty — 1.3.2-lp152.2.3.1

🔴Vulnerability Details

GHSA

GHSA-9p78-xgfp-85mw: A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15↗2022-05-24

▶

CVEList

python-HyperKitty: hyperkitty-permissions.sh used during %post allows local privilege escalation from hyperkitty user to root↗2021-06-10

▶

OSV

CVE-2021-25322: A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15↗2021-06-10

▶

📋Vendor Advisories

Debian

CVE-2021-25322: hyperkitty - A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of o...↗2021

▶