CVE-2020-10737
low-risk
Published 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.
Do I need to act?
-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.3/10
Medium
LOCAL
/ HIGH complexity
Affected Products (1)
Oddjob
Affected Vendors
References (4)
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10737
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10737
21
/ 100
low-risk
Severity
16/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal