CVE-2019-15900

An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. On platforms without strtonum(3), sscanf was used without checking for error cases. Instead, the uninitialized variable errstr was checked and in some cases returned success even if sscanf failed. The result was that, instead of reporting that the supplied username or group name did not exist, it would execute the command as root.
Configurations

Configuration 1 (hide)

cpe:2.3:a:doas_project:doas:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:29

Type Values Removed Values Added
References () https://github.com/slicer69/doas/commit/2f83222829448e5bc4c9391d607ec265a1e06531 - Patch () https://github.com/slicer69/doas/commit/2f83222829448e5bc4c9391d607ec265a1e06531 - Patch
References () https://github.com/slicer69/doas/compare/6.1p1...6.2 - Release Notes () https://github.com/slicer69/doas/compare/6.1p1...6.2 - Release Notes

16 Feb 2024, 15:34

Type Values Removed Values Added
CWE CWE-252

Information

Published : 2019-10-18 16:15

Updated : 2024-11-21 04:29


NVD link : CVE-2019-15900

Mitre link : CVE-2019-15900

CVE.ORG link : CVE-2019-15900


JSON object : View

Products Affected

doas_project

  • doas
CWE
CWE-252

Unchecked Return Value

CWE-754

Improper Check for Unusual or Exceptional Conditions

CWE-863

Incorrect Authorization

CWE-908

Use of Uninitialized Resource