CVE-2020-10737

Published: May 27, 2020Modified: Nov 21, 2024

6.3

Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Exploitability: 0.3 / Impact: 5.9

Source: NVD

Description

A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.

Affected (1)

Products: Redhat: Oddjob

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Oddjob	Before 0.34.5

Related CWEs

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (4)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10737

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac?branch

Source: secalert@redhat.com

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10737

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac?branch

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.