high
8.4
CWE
22
Advisory Published
Updated

CVE-2019-3696: pcp: Local privilege escalation from user pcp to root through migrate_tempdirs

First published: Tue Mar 03 2020(Updated: )

A Improper Limitation of a Pathname to a Restricted Directory vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local user pcp to overwrite arbitrary files with arbitrary content. This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1.

Credit: meissner@suse.de

Affected SoftwareAffected VersionHow to fix
Opensuse Pcp<3.11.9-5.8.1
SUSE Linux Enterprise High Performance Computing=15.0
SUSE Linux Enterprise High Performance Computing=15.0
SUSE Linux Enterprise Server=15
Suse Linux Enterprise Server Ltss=15
Suse Linux Enterprise Server Sap=15
Opensuse Pcp<4.3.1-3.5.3
SUSE Linux Enterprise Server=15-sp1
Opensuse Pcp<3.11.9-6.14.1
SUSE Linux Enterprise Software Development Kit=12-sp4
SUSE Linux Enterprise Software Development Kit=12-sp5
Opensuse Pcp<4.3.1-lp151.2.3.1
openSUSE Leap=15.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2019-3696?

    CVE-2019-3696 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability in the packaging of pcp.

  • Which software is affected by CVE-2019-3696?

    CVE-2019-3696 affects Opensuse Pcp, SUSE Linux Enterprise High Performance Computing, SUSE Linux Enterprise Server, SUSE Linux Enterprise Software Development Kit, and openSUSE Leap.

  • What is the severity of CVE-2019-3696?

    The severity of CVE-2019-3696 is high with a CVSS score of 7.3.

  • How can I fix CVE-2019-3696?

    To fix CVE-2019-3696, apply the latest security patches provided by the software vendor.

  • Where can I find more information about CVE-2019-3696?

    You can find more information about CVE-2019-3696 in the official SUSE bugzilla report: https://bugzilla.suse.com/show_bug.cgi?id=1153921

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203