CVE-2019-19191
N/A
N/A
Summary
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://issues.shibboleth.net/jira/browse/SSPCPP-874
- https://bugzilla.suse.com/show_bug.cgi?id=1157471
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00017.html
References
- https://issues.shibboleth.net/jira/browse/SSPCPP-874
- https://bugzilla.suse.com/show_bug.cgi?id=1157471
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00017.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.