Total
1181 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19695 | 1 Trendmicro | 1 Antivirus | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A privilege escalation vulnerability in Trend Micro Antivirus for Mac 2019 (v9.0.1379 and below) could potentially allow an attacker to create a symbolic link to a target file and modify it. | |||||
| CVE-2019-19693 | 2 Microsoft, Trendmicro | 5 Windows, Antivirus\+ Security 2020, Internet Security 2020 and 2 more | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| The Trend Micro Security 2020 consumer family of products contains a vulnerability that could allow a local attacker to disclose sensitive information or to create a denial-of-service condition on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2019-19191 | 1 Shibboleth | 1 Service Provider | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow. | |||||
| CVE-2019-18932 | 2 Opensuse, Squid Analysis Report Generator Project | 3 Backports Sle, Leap, Squid Analysis Report Generator | 2024-11-21 | 4.4 MEDIUM | 7.0 HIGH |
| log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By default, it uses a fixed temporary directory /tmp/sarg. As the root user, sarg creates this directory or reuses an existing one in an insecure manner. An attacker can pre-create the directory, and place symlinks in it (after winning a /tmp/sarg/denied.int_unsort race condition). The outcome will be corrupted or newly created files in privileged file system locations. | |||||
| CVE-2019-18901 | 2 Opensuse, Suse | 2 Leap, Linux Enterprise Server | 2024-11-21 | 2.1 LOW | 5.1 MEDIUM |
| A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Linux Enterprise Server 12 mariadb versions prior to 10.2.31-3.25.1. SUSE Linux Enterprise Server 15 mariadb versions prior to 10.2.31-3.26.1. | |||||
| CVE-2019-18898 | 2 Opensuse, Suse | 4 Leap, Opensuse Factory, Suse Linux Enterprise Server and 1 more | 2024-11-21 | 7.2 HIGH | 7.7 HIGH |
| UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14-6.3.1. openSUSE Factory trousers versions prior to 0.3.14-7.1. | |||||
| CVE-2019-18897 | 2 Opensuse, Suse | 2 Leap, Linux Enterprise Server | 2024-11-21 | 7.2 HIGH | 8.4 HIGH |
| A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of salt of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15; openSUSE Factory allows local attackers to escalate privileges from user salt to root. This issue affects: SUSE Linux Enterprise Server 12 salt-master version 2019.2.0-46.83.1 and prior versions. SUSE Linux Enterprise Server 15 salt-master version 2019.2.0-6.21.1 and prior versions. openSUSE Factory salt-master version 2019.2.2-3.1 and prior versions. | |||||
| CVE-2019-18837 | 2 Crun Project, Fedoraproject | 2 Crun, Fedora | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| An issue was discovered in crun before 0.10.5. With a crafted image, it doesn't correctly check whether a target is a symlink, resulting in access to files outside of the container. This occurs in libcrun/linux.c and libcrun/chroot_realpath.c. | |||||
| CVE-2019-18658 | 1 Helm | 1 Helm | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue. | |||||
| CVE-2019-18645 | 1 Totaldefense | 1 Anti-virus | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| The quarantine restoration function in Total Defense Anti-virus 11.5.2.28 is vulnerable to symbolic link attacks, allowing files to be written to privileged directories. | |||||
| CVE-2019-18575 | 1 Dell | 1 Command\|configure | 2024-11-21 | 6.6 MEDIUM | 7.1 HIGH |
| Dell Command Configure versions prior to 4.2.1 contain an uncontrolled search path vulnerability. A locally authenticated malicious user could exploit this vulnerability by creating a symlink to a target file, allowing the attacker to overwrite or corrupt a specified file on the system. | |||||
| CVE-2019-18466 | 1 Libpod Project | 1 Libpod | 2024-11-21 | 5.8 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host. | |||||
| CVE-2019-18232 | 2 Gemalto, Microsoft | 2 Sentinel Ldk License Manager, Windows | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| SafeNet Sentinel LDK License Manager, all versions prior to 7.101(only Microsoft Windows versions are affected) is vulnerable when configured as a service. This vulnerability may allow an attacker with local access to create, write, and/or delete files in system folder using symbolic links, leading to a privilege escalation. This vulnerability could also be used by an attacker to execute a malicious DLL, which could impact the integrity and availability of the system. | |||||
| CVE-2019-17445 | 2 Eracent, Linux | 7 Eda Agent, Epa Agent, Epm Agent and 4 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in Eracent EDA, EPA, EPM, EUA, FLW, and SUM Agent through 10.2.26. The agent executable, when installed for non-root operations (scanning), can be forced to copy files from the filesystem to other locations via Symbolic Link Following. | |||||
| CVE-2019-16896 | 1 K7computing | 1 K7 Ultimate Security | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| In K7 Ultimate Security 16.0.0117, the module K7BKCExt.dll (aka the backup module) improperly validates the administrative privileges of the user, allowing an arbitrary file write via a symbolic link attack with file restoration functionality. | |||||
| CVE-2019-15627 | 2 Microsoft, Trendmicro | 2 Windows, Deep Security | 2024-11-21 | 6.6 MEDIUM | 7.1 HIGH |
| Versions 10.0, 11.0 and 12.0 of the Trend Micro Deep Security Agent are vulnerable to an arbitrary file delete attack, which may lead to availability impact. Local OS access is required. Please note that only Windows agents are affected. | |||||
| CVE-2019-13915 | 1 B3log | 1 Wide | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files. First, the attacker can write code in the editor, and compile and run it approximately three times to read an arbitrary file. Second, the attacker can create a symlink, and then place the symlink into a ZIP archive. An unzip operation leads to read access, and write access (depending on file permissions), to the symlink target. Third, the attacker can import a Git repository that contains a symlink, similarly leading to read and write access. | |||||
| CVE-2019-13689 | 1 Google | 2 Chrome, Chrome Os | 2024-11-21 | N/A | 7.8 HIGH |
| Inappropriate implementation in OS in Google Chrome on ChromeOS prior to 75.0.3770.80 allowed a remote attacker to perform arbitrary read/write via a malicious file. (Chromium security severity: Critical) | |||||
| CVE-2019-13636 | 1 Gnu | 1 Patch | 2024-11-21 | 5.8 MEDIUM | 5.9 MEDIUM |
| In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. | |||||
| CVE-2019-13382 | 2 Microsoft, Techsmith | 2 Windows, Snagit | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| UploaderService in SnagIT 2019.1.2 allows elevation of privilege by placing an invalid presentation file in %PROGRAMDATA%\TechSmith\TechSmith Recorder\QueuedPresentations and then creating a symbolic link in %PROGRAMDATA%\Techsmith\TechSmith Recorder\InvalidPresentations that points to an arbitrary folder with an arbitrary file name. TechSmith Relay Classic Recorder prior to 5.2.1 on Windows is vulnerable. The vulnerability was introduced in SnagIT Windows 12.4.1. | |||||