Incorrect permission assignment for critical resource - CVE-2019-25016

 

Incorrect permission assignment for critical resource - CVE-2019-25016

Published: February 3, 2021


Vulnerability identifier: #VU50299
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-25016
CWE-ID: CWE-732
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor:
Affected software:

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.


How to mitigate CVE-2019-25016

Install update from vendor's website.

Sources