Main Vulnerability Database SB2021070712

SB2021070712 - Gentoo update for OpenDoas

Published: July 7, 2021

Security Bulletin ID SB2021070712

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2019-25016)

The vulnerability allows a remote authenticated user to execute arbitrary code.

In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.

Remediation

Install update from vendor's website.

References

https://security.gentoo.org/
https://security.gentoo.org/glsa/202107-11