CVE-2020-13882
low-risk
Published 2020-06-18
CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TOCTOU race condition. The routine to check the log and report file permissions was not working as intended and could be bypassed locally. Because of the race, an unprivileged attacker can set up a log and report file, and control that up to the point where the specific routine is doing its check. After that, the file can be removed, recreated, and used for additional attacks.
Do I need to act?
-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.2/10
Medium
LOCAL
/ HIGH complexity
Affected Vendors
References (8)
Vendor Advisory
https://cisofy.com/security/cve/cve-2020-13882/
Third Party Advisory
https://cwe.mitre.org/data/definitions/367.html
Vendor Advisory
https://cisofy.com/security/cve/cve-2020-13882/
Third Party Advisory
https://cwe.mitre.org/data/definitions/367.html
20
/ 100
low-risk
Severity
11/34 · Low
Exploitability
0/34 · Minimal
Exposure
9/34 · Low