CVE-2023-32190

CWE-125Out-of-bounds ReadCWE-732Incorrect Permission Assignment6 documents6 sources
Severity
8.5HIGH
EPSS
0.1%
top 66.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Suse Opensuse Tumbleweed
Timeline
PublishedOct 16

Description

mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5suse/opensuse_tumbleweed?0.26-37.1

🔴Vulnerability Details

3
CVEList
mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable2024-10-16
GHSA
GHSA-f97f-26jc-gffx: mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privi2024-10-16
OSV
CVE-2023-32190: mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privi2024-10-16

📋Vendor Advisories

2
Red Hat
mlocate: mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable2024-10-16
Debian
CVE-2023-32190: mlocate - mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world...2023
CVE-2023-32190 (HIGH CVSS 8.5) | mlocate's %post script allows RUN_U | cvebase.io