CVE-2019-18898

Description

UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14-6.3.1. openSUSE Factory trousers versions prior to 0.3.14-7.1.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected products

openSUSE / Factorytrousers – 0.3.14-7.1
SUSE / SUSE Linux Enterprise Server 15 SP1trousers – 0.3.14-6.3.1

References

MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00066.html
MISChttps://bugzilla.suse.com/show_bug.cgi?id=1157651