Vulnerability Description
LTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-session script.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 8.0 |
| Ltsp | Ldm | <= 2.18.06 |
References
- https://git.launchpad.net/~ltsp-upstream/ltsp/+git/ldm/commit/?id=c351ac69ef63edPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00007.htmlMailing ListPatchThird Party Advisory
- https://www.debian.org/security/2020/dsa-4601Third Party Advisory
- https://git.launchpad.net/~ltsp-upstream/ltsp/+git/ldm/commit/?id=c351ac69ef63edPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00007.htmlMailing ListPatchThird Party Advisory
- https://www.debian.org/security/2020/dsa-4601Third Party Advisory
FAQ
What is CVE-2019-20373?
CVE-2019-20373 is a vulnerability with a CVSS score of 7.8 (HIGH). LTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-s...
How severe is CVE-2019-20373?
CVE-2019-20373 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-20373?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Ltsp Ldm.