CVE-2022-31253

CWE-4264 documents4 sources
Severity
7.8HIGH
EPSS
0.1%
top 83.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Opensuse FactoryOpensuse Openldap2
Timeline
PublishedNov 9

Description

A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root. This issue affects: openSUSE Factory openldap2 versions prior to 2.6.3-404.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages2 packages

ā–¶NVDopensuse/openldap2< 2.6.3-404.1
ā–¶CVEListV5opensuse/factoryopenldap2 ā€” 2.6.3-404.1

šŸ”“Vulnerability Details

2
GHSA
GHSA-hxf4-pc5p-7f5c: A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownershā†—2022-11-09
ā–¶
CVEList
openldap2: /usr/lib/openldap/start allows ldap user/group to recursively chown arbitrary directory trees to itselfā†—2022-11-09
ā–¶

šŸ“‹Vendor Advisories

1
Debian
CVE-2022-31253: openldap - A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows lo...ā†—2022
ā–¶
CVE-2022-31253 (HIGH CVSS 7.8) | A Untrusted Search Path vulnerabili | cvebase.io