CVE-2020-7040

Publication date 21 January 2020

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

8.1 · High

Score breakdown

storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation. (Local users can also create a plain file named /tmp/storeBackup.lock to block use of storeBackup until an admin manually deletes that file.)

Status

Package Ubuntu Release Status
storebackup 20.04 LTS focal
Fixed 3.2.1-1+deb8u1build0.20.04.1
19.10 eoan Ignored end of life
19.04 disco Ignored end of life
18.04 LTS bionic
Fixed 3.2.1-1+deb8u1build0.18.04.1
16.04 LTS xenial
Fixed 3.2.1-1+deb8u1build0.16.04.1
14.04 LTS trusty Not in release

Severity score breakdown

Parameter Value
Base score 8.1 · High
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-4508-1
    • StoreBackup vulnerability
    • 16 September 2020

Other references