GO-2020-0027

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2020-0027

Import Source

https://vuln.go.dev/ID/GO-2020-0027.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2020-0027

Aliases

Published

2021-04-14T20:04:52Z

Modified

2024-05-20T16:03:47Z

Summary

Privilege escalation in github.com/google/fscrypt

Details

After dropping and then elevating process privileges euid, guid, and groups are not properly restored to their original values, allowing an unprivileged user to gain membership in the root group.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2020-0027"
}

References

Affected packages

Go / github.com/google/fscrypt

Package

Name: github.com/google/fscrypt; View open source insights on deps.dev
Purl: pkg:golang/github.com/google/fscrypt

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.4

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/google/fscrypt/pam",
            "symbols": [
                "Handle.StartAsPamUser",
                "Handle.StopAsPamUser",
                "NewHandle"
            ]
        },
        {
            "path": "github.com/google/fscrypt/security",
            "symbols": [
                "FindKey",
                "InsertKey",
                "RemoveKey",
                "SetProcessPrivileges",
                "UserKeyringID",
                "setGids",
                "setGroups",
                "setUids"
            ]
        }
    ]
}