CVE-2020-13882

Priority
Description
CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TOCTOU
race condition. The routine to check the log and report file permissions
was not working as intended and could be bypassed locally. Because of the
race, an unprivileged attacker can set up a log and report file, and
control that up to the point where the specific routine is doing its check.
After that, the file can be removed, recreated, and used for additional
attacks.
Notes
Package
Source: lynis (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):needs-triage
Ubuntu 20.10 (Groovy Gorilla):not-affected (3.0.0-1)
More Information

Updated: 2020-09-09 23:35:20 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)