CVE-2019-19191
Published: 21 November 2019
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
Notes
| Author | Note |
|---|---|
| ebarretto | According to Debian: This is an issue in the upstream provided spec file which is not relevant for the binary packages build in Debian (fixed upstream in 3.1.0). The postinst in the Debian packaging does not have similar problematic chown logic. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
shibboleth-sp Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(RPM specfile issue)
|
|
| groovy |
Not vulnerable
(RPM specfile issue)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.1.0)
|
|
| xenial |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |