DNA View

CVE-2019-18901

Medium

Low Medium High Critical

5.1

CVSS Score

Published: Mar 02, 2020

Last Modified: Nov 21, 2024

CWE: CWE-59

Vulnerability Description

A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Linux Enterprise Server 12 mariadb versions prior to 10.2.31-3.25.1. SUSE Linux Enterprise Server 15 mariadb versions prior to 10.2.31-3.26.1.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

3 configuration(s) from 2 vendor(s)

leap

Version:

15.1

CPE:

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

linux_enterprise_server

Version:

CPE:

cpe:2.3:o:suse:linux_enterprise_server:12:sp5:*:*:-:*:*:*

linux_enterprise_server

Version:

CPE:

cpe:2.3:o:suse:linux_enterprise_server:15:-:*:*:*:*:*:*

This vulnerability affects 3 software configuration(s). Ensure you patch all affected systems.

References & Resources

Severity Details

5.1

out of 10.0

Medium

Weakness Type (CWE)

CWE-59

Improper Link Resolution Before File Access ('Link Following')

Description: The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Exploit Likelihood: Medium
Typical Severity: Medium
Abstraction Level: Base