Vulnerability Name:

CVE-2020-8015 (CCN-179019)

Assigned:2020-04-02
Published:2020-04-02
Updated:2020-11-20
Summary:A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-59
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2020-8015

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2020:0491

Source: CCN
Type: Bugzilla – Bug 1154183
(CVE-2020-8015) VUL-0: CVE-2020-8015: exim: Local privilege escalation from user mail to root

Source: CONFIRM
Type: Exploit, Issue Tracking, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1154183

Source: XF
Type: UNKNOWN
opensuse-cve20208015-priv-esc(179019)

Source: CCN
Type: openSUSE Web site
exim

Vulnerable Configuration:Configuration 1:
  • cpe:/a:exim:exim:*:*:*:*:*:*:*:* (Version < 4.93.0.4-3.1)
  • AND
  • cpe:/o:opensuse:opensuse:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20208015
    V
    		CVE-2020-8015
    2022-06-30
    oval:org.opensuse.security:def:112207
    P
    		exim-4.94.2-4.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:100366
    P
    		 (Moderate)
    2021-12-16
    oval:org.opensuse.security:def:64615
    P
    		Security update for the Linux Kernel (Important)
    2021-11-19
    oval:org.opensuse.security:def:74669
    P
    		Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:105738
    P
    		exim-4.94.2-4.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:64557
    P
    		Security update for qemu (Moderate)
    2021-08-20
    oval:org.opensuse.security:def:63506
    P
    		perl-rrdtool-1.7.0-4.34 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62832
    P
    		texlive-collection-basic-2017.135.svn41616-9.12.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62800
    P
    		libmp3lame-devel-3.100-1.33 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63010
    P
    		go1.16-1.16.3-1.11.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62804
    P
    		libopenjpeg1-1.5.2-2.28 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62807
    P
    		libplist++-devel-2.0.0-1.31 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:64727
    P
    		Security update for qemu (Moderate)
    2021-06-30
    oval:org.opensuse.security:def:107032
    P
    		Security update for exim (Critical)
    2021-05-20
    oval:org.opensuse.security:def:11216
    P
    		Security update for exim (Critical)
    2021-05-20
    oval:org.opensuse.security:def:93653
    P
    		Security update for exim (Critical)
    2021-05-20
    oval:org.opensuse.security:def:64455
    P
    		Security update for curl (Moderate)
    2021-04-01
    oval:org.opensuse.security:def:63303
    P
    		skopeo-0.1.41-4.11.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:74802
    P
    		Security update for exim (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64347
    P
    		liblua5_3-5-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63653
    P
    		Security update for ovmf (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64348
    P
    		liblzo2-2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63882
    P
    		Security update for ghostscript (Important)
    2020-12-01
    oval:org.opensuse.security:def:64211
    P
    		apr-util-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:110464
    P
    		Security update for exim (Moderate)
    2020-04-09
    BACK
    exim exim *
    opensuse opensuse -