CVE-2023-32190 HIGH

CVE-2023-32190: mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable

Vendor Suse
Product openSUSE Tumbleweed
Published October 16, 2024
Last update March 19, 2025

CVSS base score

8.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges.

Key dates

02Disclosure timeline

October 16, 2024 CVE published
March 19, 2025 Record updated