Main Vulnerability Database Vulnerabilities #VU50299

Incorrect permission assignment for critical resource - CVE-2019-25016

Published: February 3, 2021

Vulnerability identifier: #VU50299

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-25016

CWE-ID: CWE-732

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:

Software vendor:

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.

Remediation

Install update from vendor's website.

External links

https://github.com/Duncaen/OpenDoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168
https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d
https://github.com/Duncaen/OpenDoas/issues/45
https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1

Incorrect permission assignment for critical resource - CVE-2019-25016

Description

Remediation

External links

Please verify you're human