CVE-2022-31252

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.4MEDIUM

EPSS

0.1%

top 76.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Opensuse Leap 15.3 Opensuse Opensuse Leap 15.4 Opensuse Opensuse Leap Micro 5.2 +4 more

Timeline

PublishedOct 6

Description

A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.8 | Impact: 2.5

Affected Packages7 packages

▶CVEListV5opensuse/opensuse_leap_micro_5.2permissions — 20181225

▶NVDopensuse/leap_micro5.2

▶CVEListV5opensuse/opensuse_leap_15.3permissions — 20200127

▶CVEListV5opensuse/opensuse_leap_15.4permissions — 20201225

▶NVDopensuse/leap15.3, 15.4+1

🔴Vulnerability Details

CVEList

permissions: chkstat does not check for group-writable parent directories or target files in safeOpen()↗2022-10-06

▶

GHSA

GHSA-hr65-wxm7-w4jv: A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15↗2022-10-06

▶