CVE-2021-25322 MEDIUM

CVE-2021-25322: python-HyperKitty: hyperkitty-permissions.sh used during %post allows local privilege escalation from hyperkitty user to root

Vendor Opensuse

Product Leap 15.2

Weakness CWE-61

Published June 10, 2021

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

Description

A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1.

Key dates

Disclosure timeline

June 10, 2021 CVE published

September 17, 2024 Record updated

Identifiers

CVE CVE-2021-25322

CWE CWE-61

CVSS 6.8 / MEDIUM

Affected versions

Vendor Opensuse

Product Leap 15.2

Affected ≥ python-HyperKitty and ≤ 1.3.2-lp152.2.3.1

Vendor Opensuse

Product Factory

Affected ≥ python-HyperKitty and < 1.3.4-5.1