Security restrictions bypass in xdg-user-dirs - CVE-2017-15131
Published: April 25, 2018
Vulnerability identifier: #VU12180
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-15131
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: endlessm
Affected software:
xdg-user-dirs
xdg-user-dirs
Detailed vulnerability description
The vulnerability allows a local attacker to bypass security restrictions on the target system.
The weakness exists due to system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. A local attacker can bypass security restrictions.
The weakness exists due to system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. A local attacker can bypass security restrictions.
How to mitigate CVE-2017-15131
Update to version 0.15.5.