CVE-2019-15901

Published: Oct 18, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. A setusercontext(3) call with flags to change the UID, primary GID, and secondary GIDs was replaced (on certain platforms: Linux and possibly NetBSD) with a single setuid(2) call. This resulted in neither changing the group id nor initializing secondary group ids.

Affected (1)

Products: Doas Project: Doas

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Doas Project Doas	Before 6.2

Running on/with	Platform Versions
Linux Linux Kernel	All versions

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (6)

https://github.com/slicer69/doas/commit/6cf0236184ff6304bf5e267ccf7ef02874069697

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/slicer69/doas/compare/6.1p1...6.2

Source: cve@mitre.org

PatchRelease NotesThird Party Advisory

https://github.com/slicer69/doas/pull/23

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/slicer69/doas/commit/6cf0236184ff6304bf5e267ccf7ef02874069697

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/slicer69/doas/compare/6.1p1...6.2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchRelease NotesThird Party Advisory

https://github.com/slicer69/doas/pull/23

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.