What is the severity of CVE-2019-20373?

CVE-2019-20373 is considered a high-risk vulnerability due to its potential to allow root access to fat clients.

How do I fix CVE-2019-20373?

To fix CVE-2019-20373, upgrade to the patched version 2:2.18.06-1+deb10u1 or later for the ldm package.

Which systems are affected by CVE-2019-20373?

CVE-2019-20373 affects Debian Linux versions 8.0, 9.0, and 10.0, as well as LTSP LDM versions up to 2.18.06.

What causes the vulnerability in CVE-2019-20373?

CVE-2019-20373 is caused by the LDM_USERNAME variable potentially having an empty value in certain shell environments.

Can CVE-2019-20373 be exploited remotely?

Yes, CVE-2019-20373 can be exploited remotely, leading to unauthorized root access on vulnerable systems.

Vulnerability/
CVE-2019-20373

high

7.8

9/1/2020

5/8/2024

CVE-2019-20373

First published: Thu Jan 09 2020(Updated: )

LTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-session script.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
debian/ldm		2:2.18.06-1+deb10u1
Debian Linux	=8.0
Debian Linux	=9.0
Debian Linux	=10.0
LTSP LDM	<=2.18.06

Remedy

https://git.launchpad.net/~ltsp-upstream/ltsp/+git/ldm/commit/?id=c351ac69ef63ed6c84221cef73e409059661b8ba

Remedy

https://lists.debian.org/debian-lts-announce/2020/01/msg00007.html

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2019-20373?
CVE-2019-20373 is considered a high-risk vulnerability due to its potential to allow root access to fat clients.
How do I fix CVE-2019-20373?
To fix CVE-2019-20373, upgrade to the patched version 2:2.18.06-1+deb10u1 or later for the ldm package.
Which systems are affected by CVE-2019-20373?
CVE-2019-20373 affects Debian Linux versions 8.0, 9.0, and 10.0, as well as LTSP LDM versions up to 2.18.06.
What causes the vulnerability in CVE-2019-20373?
CVE-2019-20373 is caused by the LDM_USERNAME variable potentially having an empty value in certain shell environments.
Can CVE-2019-20373 be exploited remotely?
Yes, CVE-2019-20373 can be exploited remotely, leading to unauthorized root access on vulnerable systems.

collector/security-tracker-debian
agent/type
agent/remedy
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/severity
agent/references
agent/author
agent/description
agent/event
agent/first-publish-date
agent/source
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/debian
vendor/debian
canonical/debian linux
version/debian linux/8.0
version/debian linux/9.0
version/debian linux/10.0
vendor/ltsp
canonical/ltsp ldm
version/ltsp ldm/2.18.06

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.