Candidate: CVE-2020-13882
PublicDate: 2020-06-18 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13882
 https://github.com/CISOfy/lynis/pull/594
 https://github.com/CISOfy/lynis/commit/5b09da0d9878096d45f04b858c4f65e674369ab4
 https://cisofy.com/security/cve/cve-2020-13882/
Description:
 CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TOCTOU
 race condition. The routine to check the log and report file permissions
 was not working as intended and could be bypassed locally. Because of the
 race, an unprivileged attacker can set up a log and report file, and
 control that up to the point where the specific routine is doing its check.
 After that, the file can be removed, recreated, and used for additional
 attacks.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L [4.2 MEDIUM]


Patches_lynis:
upstream_lynis: needs-triage
precise/esm_lynis: DNE
trusty_lynis: ignored (out of standard support)
trusty/esm_lynis: DNE
xenial_lynis: ignored (end of standard support, was needs-triage)
bionic_lynis: needs-triage
eoan_lynis: ignored (reached end-of-life)
focal_lynis: needs-triage
groovy_lynis: not-affected (3.0.0-1)
hirsute_lynis: not-affected (3.0.0-1)
impish_lynis: not-affected (3.0.0-1)
jammy_lynis: not-affected (3.0.0-1)
devel_lynis: not-affected (3.0.0-1)