Your submission was sent successfully! Close

CVE-2019-20373

Published: 9 January 2020

LTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-session script.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
ldm
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal
Released (2:2.18.06-1+deb10u1build0.20.04.1)
groovy Ignored
(reached end-of-life)
hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)