CVE-2022-31250Link Following in Tumbleweed

CWE-59Link Following3 documents3 sources
Severity
7.8HIGHNVD
CNA7.1
EPSS
0.1%
top 67.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Opensuse Tumbleweed
Timeline
PublishedJul 20
Latest updateJul 21

Description

A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to root. This issue affects: openSUSE Tumbleweed keylime versions prior to 6.4.2-1.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5opensuse/tumbleweedkeylime6.4.2-1.1
NVDopensuse/tumbleweed< 6.4.2-1.1

🔴Vulnerability Details

2
GHSA
GHSA-frfj-3v3x-pvwx: A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to r2022-07-21
CVEList
keylime %post scriplet allows for privilege escalation from keylime user to root2022-07-20
CVE-2022-31250 — Link Following in Opensuse Tumbleweed | cvebase