CVE-2019-15900

An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. On platforms without strtonum(3), sscanf was used without checking for error cases. Instead, the uninitialized variable errstr was checked and in some cases returned success even if sscanf failed. The result was that, instead of reporting that the supplied username or group name did not exist, it would execute the command as root.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://github.com/slicer69/doas/commit/2f83222829448e5bc4c9391d607ec265a1e06531	Patch
https://github.com/slicer69/doas/compare/6.1p1...6.2	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:doas_project:doas:*:*:*:*:*:*:*:*

History

16 Feb 2024, 15:34

Type	Values Removed	Values Added
CWE		CWE-252

Information

Published : 2019-10-18 16:15

Updated : 2024-02-28 17:28

NVD link : CVE-2019-15900

Mitre link : CVE-2019-15900

CVE.ORG link : CVE-2019-15900

JSON object : View

Products Affected

doas_project

doas

CWE

CWE-252

Unchecked Return Value

CWE-754

Improper Check for Unusual or Exceptional Conditions

CWE-863

Incorrect Authorization

CWE-908

Use of Uninitialized Resource

{"id": "CVE-2019-15900", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-10-18T16:15:10.257", "references": [{"url": "https://github.com/slicer69/doas/commit/2f83222829448e5bc4c9391d607ec265a1e06531", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/slicer69/doas/compare/6.1p1...6.2", "tags": ["Release Notes"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-754"}, {"lang": "en", "value": "CWE-863"}, {"lang": "en", "value": "CWE-908"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. On platforms without strtonum(3), sscanf was used without checking for error cases. Instead, the uninitialized variable errstr was checked and in some cases returned success even if sscanf failed. The result was that, instead of reporting that the supplied username or group name did not exist, it would execute the command as root."}, {"lang": "es", "value": "Se detect\u00f3 un problema en slicer69 doas versiones anteriores a 6.2 en determinadas plataformas diferentes de OpenBSD. En plataformas sin strtonum(3), se utiliz\u00f3 sscanf sin comprobar los casos de error. En cambio, la variable no inicializada errstr fue comprobada y en algunos casos se devolvi\u00f3 con \u00e9xito incluso si sscanf fallaba. El resultado fue que, en vez de reportar que el nombre de usuario o nombre de grupo suministrado no exist\u00eda, ejecutar\u00eda el comando como root."}], "lastModified": "2024-02-16T15:34:01.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:doas_project:doas:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B57E67C2-7E3C-4F0C-AC58-B958EAFFE1F9", "versionEndExcluding": "6.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}