CVE-2020-8013

low-risk

Published 2020-03-02

A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 11 set permissions intended for specific binaries on other binaries because it erroneously followed symlinks. The symlinks can't be controlled by attackers on default systems, so exploitation is difficult. This issue affects: SUSE Linux Enterprise Server 12 permissions versions prior to 2015.09.28.1626-17.27.1. SUSE Linux Enterprise Server 15 permissions versions prior to 20181116-9.23.1. SUSE Linux Enterprise Server 11 permissions versions prior to 2013.1.7-0.6.12.1.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.2/10 Low

LOCAL / HIGH complexity

Affected Products (4)

Linux Enterprise Server

Leap

Affected Vendors

Suse Opensuse

References (4)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html

Issue Tracking https://bugzilla.suse.com/show_bug.cgi?id=1163922

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html

Issue Tracking https://bugzilla.suse.com/show_bug.cgi?id=1163922

/ 100

low-risk

Severity 6/34 · Minimal

Exploitability 0/34 · Minimal

Exposure 10/34 · Low