CVE-2020-26880

Published: Oct 7, 2020Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.

Affected (7)

Products: Sympa: Sympa · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Sympa Sympa	Up to 6.2.56
Sympa Sympa	Version 6.2.57 beta1
Sympa Sympa	Version 6.2.57 beta2

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (14)

https://github.com/sympa-community/sympa/issues/1009

Source: cve@mitre.org

Third Party Advisory

https://github.com/sympa-community/sympa/issues/943#issuecomment-704779420

Source: cve@mitre.org

Third Party Advisory

https://github.com/sympa-community/sympa/issues/943#issuecomment-704842235

Source: cve@mitre.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CUVLHGWCDA6B2NH467ZMKL6O2NGLQZN/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5MFWWYY4TSQAXBWZ6SBFX43BLUL3WWI/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2TKOL454ZKKLQCUSUPNEZ52WELN4OAH/

Source: cve@mitre.org

https://github.com/sympa-community/sympa/issues/1009

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/sympa-community/sympa/issues/943#issuecomment-704779420

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/sympa-community/sympa/issues/943#issuecomment-704842235

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CUVLHGWCDA6B2NH467ZMKL6O2NGLQZN/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5MFWWYY4TSQAXBWZ6SBFX43BLUL3WWI/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2TKOL454ZKKLQCUSUPNEZ52WELN4OAH/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.