CVE-2022-3560

MEDIUM

pesign < 116 - Path Traversal via Symbolic Link Handling

Title source: llm

Description

A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.

References (1)

Core 1

Core References

Issue Tracking, Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2135420#c0

Scores

CVSS v3 5.5

EPSS 0.0003

EPSS Percentile 10.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (6)

fedoraproject/fedora 36

fedoraproject/fedora 37

pesign_project/pesign < 116

redhat/enterprise_linux 7.0

redhat/enterprise_linux 8.0

redhat/enterprise_linux 9.0

Published Feb 02, 2023

Tracked Since Feb 18, 2026