Total
1181 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13229 | 1 Deepin | 1 Deepin Clone | 2024-11-21 | 6.6 MEDIUM | 5.5 MEDIUM |
| deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. | |||||
| CVE-2019-13228 | 1 Deepin | 1 Deepin-clone | 2024-11-21 | 6.6 MEDIUM | 4.7 MEDIUM |
| deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. By winning a race condition to replace the /tmp/repo.iso symlink by an attacker controlled ISO file, further privilege escalation may be possible. | |||||
| CVE-2019-13227 | 1 Deepin | 1 Deepin-clone | 2024-11-21 | 6.6 MEDIUM | 5.5 MEDIUM |
| In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. | |||||
| CVE-2019-13226 | 2 Deepin, Fedoraproject | 2 Deepin-clone, Fedora | 2024-11-21 | 6.9 MEDIUM | 7.0 HIGH |
| deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. An unprivileged user can prepare a symlink at this location to have the file system mounted in an arbitrary location. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system. | |||||
| CVE-2019-13173 | 1 Fstream Project | 1 Fstream | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable. | |||||
| CVE-2019-12779 | 1 Clusterlabs | 1 Libqb | 2024-11-21 | 6.6 MEDIUM | 7.1 HIGH |
| libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL. | |||||
| CVE-2019-12749 | 2 Canonical, Freedesktop | 2 Ubuntu Linux, Dbus | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. | |||||
| CVE-2019-12672 | 1 Cisco | 1 Ios | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges. The vulnerability is due to insufficient file location validation. An attacker could exploit this vulnerability by placing code in a specific format on a USB device and inserting it into an affected Cisco device. A successful exploit could allow the attacker to execute the code with root privileges on the underlying OS of the affected device. | |||||
| CVE-2019-12573 | 3 Apple, Linux, Londontrustmedia | 3 Macos, Linux Kernel, Private Internet Access Vpn Client | 2024-11-21 | 6.6 MEDIUM | 7.1 HIGH |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files. The openvpn_launcher binary is setuid root. This binary supports the --log option, which accepts a path as an argument. This parameter is not sanitized, which allows a local unprivileged user to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user. | |||||
| CVE-2019-12571 | 2 Apple, Londontrustmedia | 2 Macos, Private Internet Access Vpn Client | 2024-11-21 | 6.6 MEDIUM | 7.1 HIGH |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files. When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user. | |||||
| CVE-2019-12209 | 1 Yubico | 1 Pam-u2f | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information. | |||||
| CVE-2019-11879 | 1 Ruby-lang | 1 Webrick | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory. NOTE: The vendor states that this is analogous to Options FollowSymlinks in the Apache HTTP Server, and therefore it is "not a problem. | |||||
| CVE-2019-11538 | 1 Ivanti | 1 Connect Secure | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
| In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device. | |||||
| CVE-2019-11503 | 1 Canonical | 1 Snapd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass." | |||||
| CVE-2019-11502 | 1 Canonical | 1 Snapd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory. | |||||
| CVE-2019-11481 | 2 Apport Project, Canonical | 2 Apport, Ubuntu Linux | 2024-11-21 | 6.1 MEDIUM | 3.8 LOW |
| Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges. By replacing the file with a symbolic link, a user could get apport to read any file on the system as root, with unknown consequences. | |||||
| CVE-2019-11396 | 2 Avira, Microsoft | 3 Free Security Suite, Software Updater, Windows | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in Avira Free Security Suite 10. The permissive access rights on the SoftwareUpdater folder (files / folders and configuration) are incompatible with the privileged file manipulation performed by the product. Files can be created that can be used by an unprivileged user to obtain SYSTEM privileges. Arbitrary file creation can be achieved by abusing the SwuConfig.json file creation: an unprivileged user can replace these files by pseudo-symbolic links to arbitrary files. When an update occurs, a privileged service creates a file and sets its access rights, offering write access to the Everyone group in any directory. | |||||
| CVE-2019-11251 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 4.3 MEDIUM | 4.8 MEDIUM |
| The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree. | |||||
| CVE-2019-11230 | 1 Avast | 1 Antivirus | 2024-11-21 | 3.6 LOW | 4.4 MEDIUM |
| In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart. | |||||
| CVE-2019-10773 | 1 Yarnpkg | 1 Yarn | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set. | |||||