Vulnerability CVE-2019-20373


Published: 2020-01-09   Modified: 2020-01-10

Description:
LTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-session script.

Type:

NVD-CWE-noinfo

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
LTSP -> LDM 
Debian -> Debian linux 

 References:
https://git.launchpad.net/~ltsp-upstream/ltsp/+git/ldm/commit/?id=c351ac69ef63ed6c84221cef73e409059661b8ba
https://lists.debian.org/debian-lts-announce/2020/01/msg00007.html
https://www.debian.org/security/2020/dsa-4601

Copyright 2024, cxsecurity.com

 

Back to Top