CVE-2019-3690 MEDIUM

CVE-2019-3690: chkstat follows untrusted symbolic links

Vendor Suse
Product permissions
Weakness CWE-59
Published December 5, 2019
Last update September 16, 2024

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.

Key dates

02Disclosure timeline

December 5, 2019 CVE published
September 16, 2024 Record updated