Vulnerability Description
In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opendoas Project | Opendoas | >= 6.6, <= 6.8 |
Related Weaknesses (CWE)
References
- https://github.com/Duncaen/OpenDoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032PatchThird Party Advisory
- https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa4PatchThird Party Advisory
- https://github.com/Duncaen/OpenDoas/issues/45ExploitIssue TrackingThird Party Advisory
- https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1Release NotesThird Party Advisory
- https://security.gentoo.org/glsa/202107-11Third Party Advisory
- https://github.com/Duncaen/OpenDoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032PatchThird Party Advisory
- https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa4PatchThird Party Advisory
- https://github.com/Duncaen/OpenDoas/issues/45ExploitIssue TrackingThird Party Advisory
- https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1Release NotesThird Party Advisory
- https://security.gentoo.org/glsa/202107-11Third Party Advisory
FAQ
What is CVE-2019-25016?
CVE-2019-25016 is a vulnerability with a CVSS score of 8.8 (HIGH). In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to...
How severe is CVE-2019-25016?
CVE-2019-25016 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-25016?
Check the references section above for vendor advisories and patch information. Affected products include: Opendoas Project Opendoas.