Vulnerability Description
A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pesign Project | Pesign | < 116 |
| Fedoraproject | Fedora | 36 |
| Redhat | Enterprise Linux | 7.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2135420#c0Issue TrackingThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2135420#c0Issue TrackingThird Party Advisory
FAQ
What is CVE-2022-3560?
CVE-2022-3560 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories t...
How severe is CVE-2022-3560?
CVE-2022-3560 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-3560?
Check the references section above for vendor advisories and patch information. Affected products include: Pesign Project Pesign, Fedoraproject Fedora, Redhat Enterprise Linux.