CVE-2020-10174

HIGH

Timeshift < 20.03 - Unauthenticated Race Condition via Predictable Temporary Directory

Title source: llm
STIX 2.1

Description

init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used.

References (8)

Core 8
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.suse.com/show_bug.cgi?id=1165802
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/teejee2008/timeshift/releases/tag/v20.03
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/03/06/3
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4312-1/

Scores

CVSS v3 7.0
EPSS 0.0012
EPSS Percentile 31.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-362 CWE-59
Status published
Products (5)
canonical/ubuntu_linux 19.10
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
timeshift_project/timeshift < 20.03
Published Mar 05, 2020
Tracked Since Feb 18, 2026