GHSA-9mc5-7qhg-fp3w

Suggest an improvement
Source
https://github.com/advisories/GHSA-9mc5-7qhg-fp3w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-9mc5-7qhg-fp3w/GHSA-9mc5-7qhg-fp3w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9mc5-7qhg-fp3w
Aliases
Published
2025-03-11T21:12:54Z
Modified
2025-03-21T21:51:07Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Below has Incorrect Permission Assignment for Critical Resource
Details

Impact

A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.

Patches

https://github.com/facebookincubator/below/commit/10e73a21d67baa2cd613ee92ce999cda145e1a83

This is included in version 0.9.0

Workarounds

Change the permission on /var/log/below manually

References

https://www.facebook.com/security/advisories/cve-2025-27591 https://www.cve.org/CVERecord?id=CVE-2025-27591

Database specific
{
    "nvd_published_at": "2025-03-11T19:15:43Z",
    "cwe_ids": [
        "CWE-732"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T21:12:54Z"
}
References

Affected packages

crates.io / below

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.0