Vulnerability Description
Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary audio .au files located there.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Audacityteam | Audacity | <= 2.3.3 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://github.com/audacity/audacity/releasesRelease NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://salvatoresecurity.com/the-many-perils-of-tmp/Third Party Advisory
- https://github.com/audacity/audacity/releasesRelease NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://salvatoresecurity.com/the-many-perils-of-tmp/Third Party Advisory
FAQ
What is CVE-2020-11867?
CVE-2020-11867 is a vulnerability with a CVSS score of 3.3 (LOW). Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and ...
How severe is CVE-2020-11867?
CVE-2020-11867 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11867?
Check the references section above for vendor advisories and patch information. Affected products include: Audacityteam Audacity, Fedoraproject Fedora.