Search
Total
874 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28153 | 2 Fedoraproject, Gnome | 2 Fedora, Glib | 2022-06-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.) | |||||
| CVE-2022-24904 | 1 Linuxfoundation | 1 Argo-cd | 2022-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround. | |||||
| CVE-2021-20197 | 4 Broadcom, Gnu, Netapp and 1 more | 6 Brocade Fabric Operating System Firmware, Binutils, Cloud Backup and 3 more | 2022-06-03 | 3.3 LOW | 6.3 MEDIUM |
| There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink. | |||||
| CVE-2020-25989 | 1 Pritunl | 1 Pritunl-client-electron | 2022-06-02 | 7.2 HIGH | 7.8 HIGH |
| Privilege escalation via arbitrary file write in pritunl electron client 1.0.1116.6 through v1.2.2550.20. Successful exploitation of the issue may allow an attacker to execute code on the effected system with root privileges. | |||||
| CVE-2022-30523 | 1 Trendmicro | 1 Password Manager | 2022-05-25 | 7.2 HIGH | 7.8 HIGH |
| Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow a low privileged local attacker to delete the contents of an arbitrary folder as SYSTEM which can then be used for privilege escalation on the affected machine. | |||||
| CVE-2022-23742 | 2 Checkpoint, Microsoft | 2 Endpoint Security, Windows | 2022-05-23 | 4.6 MEDIUM | 7.8 HIGH |
| Check Point Endpoint Security Client for Windows versions earlier than E86.40 copy files for forensics reports from a directory with low privileges. An attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems or using symbolic links. | |||||
| CVE-2021-28650 | 2 Fedoraproject, Gnome | 2 Fedora, Gnome-autoar | 2022-05-20 | 2.1 LOW | 5.5 MEDIUM |
| autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241. | |||||
| CVE-2020-24654 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2022-05-20 | 4.3 MEDIUM | 3.3 LOW |
| In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory. | |||||
| CVE-2021-28163 | 5 Apache, Eclipse, Fedoraproject and 2 more | 23 Ignite, Solr, Jetty and 20 more | 2022-05-12 | 4.0 MEDIUM | 2.7 LOW |
| In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. | |||||
| CVE-2022-20103 | 2 Google, Mediatek | 45 Android, Mt6580, Mt6739 and 42 more | 2022-05-12 | 2.1 LOW | 4.4 MEDIUM |
| In aee daemon, there is a possible information disclosure due to symbolic link following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06383944; Issue ID: ALPS06282684. | |||||
| CVE-2022-20085 | 2 Google, Mediatek | 53 Android, Mt6580, Mt6731 and 50 more | 2022-05-10 | 4.6 MEDIUM | 6.7 MEDIUM |
| In netdiag, there is a possible symbolic link following due to an improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06308877; Issue ID: ALPS06308877. | |||||
| CVE-2022-24372 | 1 Linksys | 2 Mr9600, Mr9600 Firmware | 2022-05-09 | 4.9 MEDIUM | 4.6 MEDIUM |
| Linksys MR9600 devices before 2.0.5 allow attackers to read arbitrary files via a symbolic link to the root directory of a NAS SMB share. | |||||
| CVE-2021-27229 | 2 Debian, Mumble | 2 Debian Linux, Mumble | 2022-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text. | |||||
| CVE-2020-27697 | 2 Microsoft, Trendmicro | 5 Windows, Antivirus\+ Security 2020, Internet Security 2020 and 2 more | 2022-05-03 | 6.9 MEDIUM | 7.8 HIGH |
| Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product. | |||||
| CVE-2020-4717 | 1 Ibm | 1 Spss Modeler | 2022-05-03 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability exists in IBM SPSS Modeler Subscription Installer that allows a user with create symbolic link permission to write arbitrary file in another protected path during product installation. IBM X-Force ID: 187727. | |||||
| CVE-2021-23873 | 1 Mcafee | 1 Total Protection | 2022-05-03 | 3.6 LOW | 6.1 MEDIUM |
| Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file deletion as the SYSTEM user potentially causing Denial of Service via manipulating Junction link, after enumerating certain files, at a specific time. | |||||
| CVE-2021-23872 | 1 Mcafee | 1 Total Protection | 2022-05-03 | 4.6 MEDIUM | 7.8 HIGH |
| Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOCTL interface. | |||||
| CVE-2020-24556 | 3 Apple, Microsoft, Trendmicro | 5 Macos, Windows, Apex One and 2 more | 2022-04-28 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in Trend Micro Apex One, OfficeScan XG SP1, Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected. | |||||
| CVE-2022-27816 | 1 Swhkd Project | 1 Swhkd | 2022-04-27 | 3.3 LOW | 7.1 HIGH |
| SWHKD 1.1.5 unsafely uses the /tmp/swhks.pid pathname. There can be data loss or a denial of service. | |||||
| CVE-2020-11736 | 3 Canonical, Debian, Gnome | 3 Ubuntu Linux, Debian Linux, File-roller | 2022-04-27 | 3.3 LOW | 3.9 LOW |
| fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. | |||||
| CVE-2019-18932 | 2 Opensuse, Squid Analysis Report Generator Project | 3 Backports Sle, Leap, Squid Analysis Report Generator | 2022-04-26 | 4.4 MEDIUM | 7.0 HIGH |
| log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By default, it uses a fixed temporary directory /tmp/sarg. As the root user, sarg creates this directory or reuses an existing one in an insecure manner. An attacker can pre-create the directory, and place symlinks in it (after winning a /tmp/sarg/denied.int_unsort race condition). The outcome will be corrupted or newly created files in privileged file system locations. | |||||
| CVE-2020-6477 | 4 Apple, Fedoraproject, Google and 1 more | 5 Mac Os X, Fedora, Chrome and 2 more | 2022-04-26 | 4.6 MEDIUM | 7.8 HIGH |
| Inappropriate implementation in installer in Google Chrome on OS X prior to 83.0.4103.61 allowed a local attacker to perform privilege escalation via a crafted file. | |||||
| CVE-2021-37712 | 5 Debian, Microsoft, Npmjs and 2 more | 5 Debian Linux, Windows, Tar and 2 more | 2022-04-25 | 4.4 MEDIUM | 8.6 HIGH |
| The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. | |||||
| CVE-2021-37701 | 4 Debian, Npmjs, Oracle and 1 more | 4 Debian Linux, Tar, Graalvm and 1 more | 2022-04-25 | 4.4 MEDIUM | 8.6 HIGH |
| The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. | |||||
| CVE-2021-44730 | 3 Canonical, Debian, Fedoraproject | 4 Snapd, Ubuntu Linux, Debian Linux and 1 more | 2022-02-28 | 6.9 MEDIUM | 8.8 HIGH |
| snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 | |||||
| CVE-2021-44141 | 3 Fedoraproject, Redhat, Samba | 3 Fedora, Storage, Samba | 2022-02-23 | 3.5 LOW | 4.3 MEDIUM |
| All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed. | |||||
| CVE-2017-16611 | 3 Canonical, Debian, X | 3 Ubuntu Linux, Debian Linux, Libxfont | 2022-02-20 | 4.9 MEDIUM | 5.5 MEDIUM |
| In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as root, triggering tape rewinds, watchdogs, or similar mechanisms that can be triggered by opening files. | |||||
| CVE-2022-0017 | 2 Microsoft, Paloaltonetworks | 2 Windows, Globalprotect | 2022-02-17 | 6.9 MEDIUM | 7.8 HIGH |
| An improper link resolution before file access ('link following') vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows. GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.5 on Windows. This issue does not affect GlobalProtect app on other platforms. | |||||
| CVE-2021-30855 | 1 Apple | 6 Ipad Os, Iphone Os, Mac Os X and 3 more | 2022-02-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, iOS 15 and iPadOS 15, watchOS 8, macOS Big Sur 11.6. An application may be able to access restricted files. | |||||
| CVE-2021-3641 | 2 Bitdefender, Microsoft | 2 Gravityzone, Windows | 2022-02-09 | 3.6 LOW | 6.1 MEDIUM |
| Improper Link Resolution Before File Access ('Link Following') vulnerability in the EPAG component of Bitdefender Endpoint Security Tools for Windows allows a local attacker to cause a denial of service. This issue affects: Bitdefender GravityZone version 7.1.2.33 and prior versions. | |||||
| CVE-2007-6061 | 1 Audacityteam | 1 Audacity | 2022-02-07 | 5.0 MEDIUM | N/A |
| Audacity 1.3.2 creates a temporary directory with a predictable name without checking for previous existence of that directory, which allows local users to cause a denial of service (recording deadlock) by creating the directory before Audacity is run. NOTE: this issue can be leveraged to delete arbitrary files or directories via a symlink attack. | |||||
| CVE-2021-23521 | 1 Juce | 1 Juce | 2022-02-07 | 4.6 MEDIUM | 7.8 HIGH |
| This affects the package juce-framework/JUCE before 6.1.5. This vulnerability is triggered when a malicious archive is crafted with an entry containing a symbolic link. When extracted, the symbolic link is followed outside of the target dir allowing writing arbitrary files on the target host. In some cases, this can allow an attacker to execute arbitrary code. The vulnerable code is in the ZipFile::uncompressEntry function in juce_ZipFile.cpp and is executed when the archive is extracted upon calling uncompressTo() on a ZipFile object. | |||||
| CVE-2022-21944 | 2 Opensuse, Suse | 2 Factory Watchman, Suse Linux Enterprise Server | 2022-02-03 | 7.2 HIGH | 7.8 HIGH |
| A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1. | |||||
| CVE-2018-6954 | 3 Canonical, Opensuse, Systemd Project | 3 Ubuntu Linux, Leap, Systemd | 2022-01-31 | 7.2 HIGH | 7.8 HIGH |
| systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on. | |||||
| CVE-2017-18078 | 3 Debian, Opensuse, Systemd Project | 3 Debian Linux, Leap, Systemd | 2022-01-31 | 4.6 MEDIUM | 7.8 HIGH |
| systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file. | |||||
| CVE-2013-4392 | 1 Systemd Project | 1 Systemd | 2022-01-31 | 3.3 LOW | N/A |
| systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. | |||||
| CVE-2012-0871 | 2 Opensuse, Systemd Project | 2 Opensuse, Systemd | 2022-01-28 | 6.3 MEDIUM | N/A |
| The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/. | |||||
| CVE-2013-4969 | 4 Canonical, Debian, Puppet and 1 more | 4 Ubuntu Linux, Debian Linux, Puppet Enterprise and 1 more | 2022-01-24 | 2.1 LOW | N/A |
| Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. | |||||
| CVE-2022-0012 | 2 Microsoft, Paloaltonetworks | 2 Windows, Cortex Xdr Agent | 2022-01-19 | 3.6 LOW | 7.1 HIGH |
| An improper link resolution before file access vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables a local user to delete arbitrary system files and impact the system integrity or cause a denial of service condition. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2. | |||||
| CVE-2021-26089 | 1 Fortinet | 1 Forticlient | 2022-01-17 | 7.2 HIGH | 7.8 HIGH |
| An improper symlink following in FortiClient for Mac 6.4.3 and below may allow an non-privileged user to execute arbitrary privileged shell commands during installation phase. | |||||
| CVE-2021-45442 | 2 Microsoft, Trendmicro | 4 Windows, Apex One, Worry-free Business Security and 1 more | 2022-01-14 | 6.6 MEDIUM | 7.1 HIGH |
| A link following denial-of-service vulnerability in Trend Micro Worry-Free Business Security (on prem only) could allow a local attacker to overwrite arbitrary files in the context of SYSTEM. This is similar to, but not the same as CVE-2021-44024. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2021-44024 | 2 Microsoft, Trendmicro | 4 Windows, Apex One, Worry-free Business Security and 1 more | 2022-01-14 | 6.6 MEDIUM | 7.1 HIGH |
| A link following denial-of-service vulnerability in Trend Micro Apex One (on-prem and SaaS) and Trend Micro Worry-Free Business Security (10.0 SP1 and Services) could allow a local attacker to overwrite arbitrary files in the context of SYSTEM. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2021-20153 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-01-07 | 6.9 MEDIUM | 6.8 MEDIUM |
| Trendnet AC2600 TEW-827DRU version 2.08B01 contains a symlink vulnerability in the bittorrent functionality. If enabled, the bittorrent functionality is vulnerable to a symlink attack that could lead to remote code execution on the device. If an end user inserts a flash drive with a malicious symlink on it that the bittorrent client can write downloads to, then a user is able to download arbitrary files to any desired location on the devices filesystem, which could lead to remote code execution. Example directories vulnerable to this include "config", "downloads", and "torrents", though it should be noted that "downloads" is the only vector that allows for arbitrary files to be downloaded to arbitrary locations. | |||||
| CVE-2021-23772 | 2 Golang, Iris-go | 2 Go, Iris | 2022-01-04 | 6.8 MEDIUM | 8.8 HIGH |
| This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder. | |||||
| CVE-2021-30968 | 1 Apple | 5 Iphone Os, Mac Os X, Macos and 2 more | 2022-01-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| A validation issue related to hard link behavior was addressed with improved sandbox restrictions. This issue is fixed in macOS Big Sur 11.6.2, tvOS 15.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, watchOS 8.3. A malicious application may be able to bypass certain Privacy preferences. | |||||
| CVE-2020-10174 | 3 Canonical, Fedoraproject, Timeshift Project | 3 Ubuntu Linux, Fedora, Timeshift | 2022-01-01 | 6.9 MEDIUM | 7.0 HIGH |
| init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used. | |||||
| CVE-2020-7319 | 1 Mcafee | 1 Endpoint Security | 2022-01-01 | 4.6 MEDIUM | 8.8 HIGH |
| Improper Access Control vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows local users to access files which the user otherwise would not have access to via manipulating symbolic links to redirect McAfee file operations to an unintended file. | |||||
| CVE-2020-3437 | 1 Cisco | 1 Sd-wan Firmware | 2022-01-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to read arbitrary files on the underlying filesystem of the device. The vulnerability is due to insufficient file scope limiting. An attacker could exploit this vulnerability by creating a specific file reference on the filesystem and then accessing it through the web-based management interface. A successful exploit could allow the attacker to read arbitrary files from the filesystem of the underlying operating system. | |||||
| CVE-2020-36193 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2022-01-01 | 5.0 MEDIUM | 7.5 HIGH |
| Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | |||||
| CVE-2021-32610 | 3 Debian, Fedoraproject, Php | 3 Debian Linux, Fedora, Archive Tar | 2022-01-01 | 3.6 LOW | 7.1 HIGH |
| In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. | |||||