CVE-2019-18901

Advisory lineage Upstream: 0 Downstream: 9

Downstream

OPENSUSE-SU-2020:0289-1 OPENSUSE-SU-2024:11038-1 SUSE-RU-2023:3956-1 SUSE-RU-2023:4991-1 SUSE-SU-2020:0496-1 SUSE-SU-2020:0505-1

Modified

Published: 02 Mar 2020, 16:10

Last modified:17 Sept 2024, 01:16

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.5 MEDIUM

v3.1 (nvd)

EPSS Score

0.1% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

02 Mar 2020, 16:10

Published

Vulnerability first disclosed

17 Sept 2024, 01:16

Last Modified

Vulnerability information updated

Description

A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Linux Enterprise Server 12 mariadb versions prior to 10.2.31-3.25.1. SUSE Linux Enterprise Server 15 mariadb versions prior to 10.2.31-3.26.1.

CVSS Metrics

v3.1•MEDIUM•Score: 5.1CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
v2.0•LOW•Score: 2.1AV:L/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.10%• Percentile: 27%

Techniques & Countermeasures

CWE-59•Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Systems

opensuse•leap
15.1
suse•linux_enterprise_server
12 | 15
suse•suse linux enterprise server 12
≥ mariadb, < 10.2.31-3.25.1
suse•suse linux enterprise server 15
≥ mariadb, < 10.2.31-3.26.1