CVE-2019-18897 — HIGH (8.4)

Vulnerability Description

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of salt of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15; openSUSE Factory allows local attackers to escalate privileges from user salt to root. This issue affects: SUSE Linux Enterprise Server 12 salt-master version 2019.2.0-46.83.1 and prior versions. SUSE Linux Enterprise Server 15 salt-master version 2019.2.0-6.21.1 and prior versions. openSUSE Factory salt-master version 2019.2.2-3.1 and prior versions.

CVSS Score

8.4

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Suse	Linux Enterprise Server	12
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-59

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.htmlBroken LinkMailing ListVendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1157465Issue TrackingVendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.htmlBroken LinkMailing ListVendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1157465Issue TrackingVendor Advisory

FAQ

What is CVE-2019-18897?

CVE-2019-18897 is a vulnerability with a CVSS score of 8.4 (HIGH). A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of salt of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15; openSUSE Factory allows local attackers to escalate...

How severe is CVE-2019-18897?

CVE-2019-18897 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18897?

Check the references section above for vendor advisories and patch information. Affected products include: Suse Linux Enterprise Server, Opensuse Leap.