CVE-2021-25630

Published: Feb 23, 2021Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

"loolforkit" is a privileged program that is supposed to be run by a special, non-privileged "lool" user. Before doing anything else "loolforkit" checks, if it was invoked by the "lool" user, and refuses to run with privileges, if it's not the case. In the vulnerable version of "loolforkit" this check was wrong, so a normal user could start "loolforkit" and eventually get local root privileges.

Affected (2)

Products: Collaboraoffice: Online

Collaboraoffice

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Collaboraoffice Online	From 4.2.0 to 4.2.13
Collaboraoffice Online	From 6.4.0 to 6.4.3

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://github.com/CollaboraOnline/online/security/advisories/GHSA-49w3-gr3w-m68v

Source: security@documentfoundation.org

Third Party Advisory

https://www.openwall.com/lists/oss-security/2021/01/18/3

Source: security@documentfoundation.org

Mailing ListThird Party Advisory

https://github.com/CollaboraOnline/online/security/advisories/GHSA-49w3-gr3w-m68v

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.openwall.com/lists/oss-security/2021/01/18/3

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.