3.7 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:H/Au:N/C:P/I:P/A:P
4.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
0.0004 Low
EPSS
Percentile
15.7%
CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TOCTOU
race condition. The routine to check the log and report file permissions
was not working as intended and could be bypassed locally. Because of the
race, an unprivileged attacker can set up a log and report file, and
control that up to the point where the specific routine is doing its check.
After that, the file can be removed, recreated, and used for additional
attacks.
cisofy.com/security/cve/cve-2020-13882/
github.com/CISOfy/lynis/commit/5b09da0d9878096d45f04b858c4f65e674369ab4
github.com/CISOfy/lynis/pull/594
launchpad.net/bugs/cve/CVE-2020-13882
nvd.nist.gov/vuln/detail/CVE-2020-13882
security-tracker.debian.org/tracker/CVE-2020-13882
www.cve.org/CVERecord?id=CVE-2020-13882
3.7 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:H/Au:N/C:P/I:P/A:P
4.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
0.0004 Low
EPSS
Percentile
15.7%