Description
An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The user running the main CCE firmware has NOPASSWD sudo privileges to several utilities that could be used to escalate privileges to root. One example is the "sudo ln -s /tmp/script /etc/cron.hourly/script" command.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.securifera.com/advisories/cve-2018-20052-20053/
Scores
CVSS v3
7.8
EPSS
0.0038
EPSS Percentile
29.4%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-1188
Status
published
Products (1)
cerner/connectivity_engine_4_firmware
< 201812
Published
Apr 25, 2019
Tracked Since
Feb 18, 2026