Candidate: CVE-2020-15397
PublicDate: 2020-06-30 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15397
 https://sourceforge.net/p/hylafax/HylaFAX+/2534/
Description:
 HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute
 binaries from directories writable by unprivileged users (e.g., locations
 under /var/spool/hylafax that are writable by the uucp account). This
 allows these users to execute code in the context of the user calling these
 binaries (often root).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964198
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_hylafax:
upstream_hylafax: needs-triage
precise/esm_hylafax: DNE
trusty_hylafax: ignored (out of standard support)
trusty/esm_hylafax: DNE
xenial_hylafax: ignored (end of standard support, was needs-triage)
bionic_hylafax: needs-triage
focal_hylafax: needs-triage
groovy_hylafax: ignored (reached end-of-life)
hirsute_hylafax: ignored (reached end-of-life)
impish_hylafax: needs-triage
jammy_hylafax: needs-triage
devel_hylafax: needs-triage