Main Vulnerability Database Vulnerabilities #VU32880

#VU32880 Improper Privilege Management in HylaFAX - CVE-2020-15397

Published: July 29, 2020 / Updated: August 5, 2020

Vulnerability identifier: #VU32880

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-15397

CWE-ID: CWE-269

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
HylaFAX

Software vendor:
Hylafax.org

Description

The vulnerability allows a local user to escalate privileges on the system.

HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute binaries from directories writable by unprivileged users (e.g., locations under /var/spool/hylafax that are writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root).

Remediation

Install updates from vendor's website.

External links

https://bugzilla.suse.com/show_bug.cgi?id=1173519
https://security.gentoo.org/glsa/202007-06
https://sourceforge.net/p/hylafax/HylaFAX+/2534/

#VU32880 Improper Privilege Management in HylaFAX - CVE-2020-15397

Description

Remediation

External links

Please verify you're human