CVE-2020-10737

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-10737
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10737.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-10737
Related
Published
2020-05-27T01:15:09Z
Modified
2024-11-21T04:55:58Z
Downstream
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.

References

Affected packages

Debian:11 / oddjob

Package

Name
oddjob
Purl
pkg:deb/debian/oddjob?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.34.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / oddjob

Package

Name
oddjob
Purl
pkg:deb/debian/oddjob?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.34.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / oddjob

Package

Name
oddjob
Purl
pkg:deb/debian/oddjob?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.34.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}