CVE-2022-31256

2022-10-2609:15:15

Debian Security Bug Tracker

security-tracker.debian.org

improper link resolution

file access

sendmail

opensuse factory

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

A Improper Link Resolution Before File Access (‘Link Following’) vulnerability in a script called by the sendmail systemd service of openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: SUSE openSUSE Factory sendmail versions prior to 8.17.1-1.1.

OSVersionArchitecturePackageVersionFilename
Debian12allsendmail< 8.17.1.9-2+deb12u2sendmail_8.17.1.9-2+deb12u2_all.deb
Debian11allsendmail< 8.15.2-22+deb11u3sendmail_8.15.2-22+deb11u3_all.deb
Debian999allsendmail< 8.18.1-6sendmail_8.18.1-6_all.deb
Debian13allsendmail< 8.18.1-6sendmail_8.18.1-6_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	sendmail	< 8.17.1.9-2+deb12u2	sendmail_8.17.1.9-2+deb12u2_all.deb
Debian	11	all	sendmail	< 8.15.2-22+deb11u3	sendmail_8.15.2-22+deb11u3_all.deb
Debian	999	all	sendmail	< 8.18.1-6	sendmail_8.18.1-6_all.deb
Debian	13	all	sendmail	< 8.18.1-6	sendmail_8.18.1-6_all.deb