CVE-2020-13882
MEDIUMCISOfy Lynis < 3.0.0 - Time-of-check Time-of-use Race Condition in Log and Report File Permission Check
Title source: llmDescription
CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TOCTOU race condition. The routine to check the log and report file permissions was not working as intended and could be bypassed locally. Because of the race, an unprivileged attacker can set up a log and report file, and control that up to the point where the specific routine is doing its check. After that, the file can be removed, recreated, and used for additional attacks.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://cisofy.com/security/cve/cve-2020-13882/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDCHEKNR3HPJRNHE5PYKFH5GNBADTPA7/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBFHIX6RTHCK37FXMAAXP4KGAMLUFDUD/
Third Party Advisory x_refsource_misc
https://cwe.mitre.org/data/definitions/367.html
Scores
CVSS v3
4.2
EPSS
0.0026
EPSS Percentile
16.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Details
CWE
CWE-367
Status
published
Products (3)
cisofy/lynis
< 3.0.0
fedoraproject/fedora
31
fedoraproject/fedora
32
Published
Jun 18, 2020
Tracked Since
Feb 18, 2026