CVE-2020-8023

A acceptance of Extraneous Untrusted Data With Trusted Data vulnerability in the start script of openldap2 of SUSE Enterprise Storage 5, SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SECURITY, SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8; openSUSE Leap 15.1, openSUSE Leap 15.2 allows local attackers to escalate privileges from user ldap to root. This issue affects: SUSE Enterprise Storage 5 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Debuginfo 11-SP3 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Debuginfo 11-SP4 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Point of Sale 11-SP3 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Server 11-SECURITY openldap2-client-openssl1 versions prior to 2.4.26-0.74.13.1. SUSE Linux Enterprise Server 11-SP4-LTSS openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Server 12-SP2-BCL openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP2-LTSS openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP3-BCL openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP3-LTSS openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP4 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP5 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 15-LTSS openldap2 versions prior to 2.4.46-9.31.1. SUSE Linux Enterprise Server for SAP 12-SP2 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server for SAP 12-SP3 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server for SAP 15 openldap2 versions prior to 2.4.46-9.31.1. SUSE OpenStack Cloud 7 openldap2 versions prior to 2.4.41-18.71.2. SUSE OpenStack Cloud 8 openldap2 versions prior to 2.4.41-18.71.2. SUSE OpenStack Cloud Crowbar 8 openldap2 versions prior to 2.4.41-18.71.2. openSUSE Leap 15.1 openldap2 versions prior to 2.4.46-lp151.10.12.1. openSUSE Leap 15.2 openldap2 versions prior to 2.4.46-lp152.14.3.1.

CVSS v3 7.7 HIGH
CVSS v2.0 7.2 HIGH

7.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1172698	Exploit Issue Tracking Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1172698	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:opensuse:openldap2:*:*:*:*:*:*:*:*

OR	cpe:2.3:a:suse:enterprise_storage:5.0:::::::*
	cpe:2.3:a:suse:openstack_cloud:7.0:::::::*
	cpe:2.3:a:suse:openstack_cloud:8.0:::::::*
	cpe:2.3:a:suse:openstack_cloud_crowbar:8.0:::::::*
	cpe:2.3:o:suse:linux_enterprise_server:12:sp2::::::
	cpe:2.3:o:suse:linux_enterprise_server:12:sp2::::sap::*
	cpe:2.3:o:suse:linux_enterprise_server:12:sp2:::ltss:::*
	cpe:2.3:o:suse:linux_enterprise_server:12:sp3::::sap::*
	cpe:2.3:o:suse:linux_enterprise_server:12:sp3:::-:-::
	cpe:2.3:o:suse:linux_enterprise_server:12:sp3:::ltss:::*
	cpe:2.3:o:suse:linux_enterprise_server:12:sp4::::::
	cpe:2.3:o:suse:linux_enterprise_server:12:sp5::::::

Configuration 2 (hide)

AND

cpe:2.3:a:opensuse:openldap2:*:*:*:*:*:*:*:*

OR	cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp3::::::
	cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4::::::
	cpe:2.3:a:suse:linux_enterprise_point_of_sale:11:sp3::::::
	cpe:2.3:o:suse:linux_enterprise_server:11:-::::::
	cpe:2.3:o:suse:linux_enterprise_server:11:sp4:::ltss:::*

Configuration 3 (hide)

AND

cpe:2.3:a:opensuse:openldap2:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:suse:linux_enterprise_server:15:::::ltss::
	cpe:2.3:o:suse:linux_enterprise_server:15:::::sap::

Configuration 4 (hide)

AND

cpe:2.3:a:opensuse:openldap2:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

History

21 Nov 2024, 05:38

Type	Values Removed	Values Added
References	~~() https://bugzilla.suse.com/show_bug.cgi?id=1172698 - Exploit, Issue Tracking, Vendor Advisory~~	() https://bugzilla.suse.com/show_bug.cgi?id=1172698 - Exploit, Issue Tracking, Vendor Advisory
CVSS	v2 : ~~7.2~~ v3 : ~~7.8~~	v2 : 7.2 v3 : 7.7

Information

Published : 2020-09-01 12:15

Updated : 2024-11-21 05:38

NVD link : CVE-2020-8023

Mitre link : CVE-2020-8023

CVE.ORG link : CVE-2020-8023

JSON object : View

Products Affected

suse

linux_enterprise_server
linux_enterprise_point_of_sale
openstack_cloud_crowbar
openstack_cloud
enterprise_storage
linux_enterprise_debuginfo

opensuse

leap
openldap2

CWE

CWE-349

Acceptance of Extraneous Untrusted Data With Trusted Data

7.7 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

7.2 /10

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

JSON object

Attach tags to CVE-2020-8023

7.7^/10

7.2^/10

Attach tags to `CVE-2020-8023`