Description
The abrt-action-install-debuginfo-to-abrt-cache help program in Automatic Bug Reporting Tool (ABRT) does not properly handle the process environment before invoking abrt-action-install-debuginfo, which allows local users to gain privileges.
References (3)
Core 3
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1216962
Patch, Third Party Advisory x_refsource_confirm
https://github.com/abrt/abrt/commit/9943a77bca37a0829ccd3784d1dfab37f8c24e7b
Patch, Third Party Advisory x_refsource_confirm
https://github.com/abrt/abrt/commit/9a4100678fea4d60ec93d35f4c5de2e9ad054f3a
Scores
CVSS v3
7.8
EPSS
0.0016
EPSS Percentile
36.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
redhat/automatic_bug_reporting_tool
Published
Jan 14, 2020
Tracked Since
Feb 18, 2026