CVE-2023-6395

CWE-20 — Improper Input Validation CWE-94 — Code Injection6 documents5 sources

Severity

9.8CRITICAL

EPSS

0.7%

top 28.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedoraproject Extra Packages FOR Enterprise Linux Fedoraproject Fedora

Timeline

PublishedJan 16

Description

The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems from the absence of proper sandboxing during the expansion and execution of Jinja2 templates, which may be included in certain configuration parameters. While the Mock documentation advises treating users added to the mock group as privileged, certain build systems invoking mock on behalf of users mi…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages3 packages

▶PyPItemplated-dictionary< 1.4.1

▶PyPItemplated_dictionary< 1.4.1

▶NVDfedoraproject/extra_packages7.0, 8.0, 9.0+2

Also affects: Fedora 38, 39

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Privilege escalation for users that can access mock configuration↗2024-01-16

▶

OSV

CVE-2023-6395: The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary cod↗2024-01-16

▶

OSV

Privilege escalation for users that can access mock configuration↗2024-01-16

▶

CVEList

Mock: privilege escalation for users that can access mock configuration↗2024-01-16

▶

📋Vendor Advisories

Red Hat

Mock: Privilege escalation for users that can access mock configuration↗2024-01-16

▶