CVE-2020-14004

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-14004

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-14004.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-14004

Related

Published

2020-06-12T16:15:10Z

Modified

2025-02-19T03:07:23.512141Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user.

References

Affected packages

Debian:11 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/icinga/icinga2

Affected ranges

Type: GIT
Repo: https://github.com/icinga/icinga2
Events: Last affected

71cefb9ea4e5f0f824ca78bb92ff1332b0165726

Introduced

30384a4340011723869969e76a3dd2801786cf2e

Last affected

911c14fad87719aa6bc95b17ddf579acd31acf83

Type: GIT
Repo: https://github.com/icinga/icingaweb2
Events: Introduced

ee1ee5af84d32c4493365959aa8a4322a34582e4

Last affected

f917436a894c1f4148a9c3d6a27f9c20f204e44f

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.1.2

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.11.0

v2.11.0-rc1

v2.11.1

v2.11.2

v2.11.3

v2.12.0-rc1

v2.2.0

v2.3.0

v2.3.1

v2.3.10

v2.3.11

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4.0

v2.4.0-2

v2.4.1

v2.4.10

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.7.0

v2.7.1

v2.7.2

v2.8.0

v2.8.0-rc1

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.9.0

v2.9.1

v2.9.2