{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-01T21:06:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1165802"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/teejee2008/timeshift/releases/tag/v20.03"}, {"name": "[oss-security] 20200306 CVE-2020-10174: timeshift: arbitrary local code execution due to unsafe usage of temporary directory in /tmp/timeshift", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/03/06/3"}, {"name": "FEDORA-2020-c18248f61a", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXXYQFSZ5P6ZMNFIDBAQKBFZIR2T7ZLL/"}, {"name": "FEDORA-2020-6b3ae09449", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SXDEPC52G46U6I7GLQNFLZXVSM7V2HYY/"}, {"name": "FEDORA-2020-1050d60507", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAOFXT64CEUMJE3723JDJWTEQWQUCYMD/"}, {"name": "USN-4312-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4312-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-10174", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1165802", "refsource": "MISC", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1165802"}, {"name": "https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462", "refsource": "MISC", "url": "https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462"}, {"name": "https://github.com/teejee2008/timeshift/releases/tag/v20.03", "refsource": "MISC", "url": "https://github.com/teejee2008/timeshift/releases/tag/v20.03"}, {"name": "[oss-security] 20200306 CVE-2020-10174: timeshift: arbitrary local code execution due to unsafe usage of temporary directory in /tmp/timeshift", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/03/06/3"}, {"name": "FEDORA-2020-c18248f61a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXXYQFSZ5P6ZMNFIDBAQKBFZIR2T7ZLL/"}, {"name": "FEDORA-2020-6b3ae09449", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SXDEPC52G46U6I7GLQNFLZXVSM7V2HYY/"}, {"name": "FEDORA-2020-1050d60507", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAOFXT64CEUMJE3723JDJWTEQWQUCYMD/"}, {"name": "USN-4312-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4312-1/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-10174", "datePublished": "2020-03-05T15:28:55", "dateReserved": "2020-03-05T00:00:00", "dateUpdated": "2020-04-01T21:06:04", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:timeshift_project:timeshift:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDDB2FCE-E8A1-46AA-8682-F6FB21557BC1", "versionEndExcluding": "20.03", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used."}, {"lang": "es", "value": "init_tmp en TeeJee.FileSystem.vala en Timeshift versiones anteriores a 20.03, reutiliza de forma no segura un directorio temporal preexistente en la ubicaci\u00f3n predecible /tmp/timeshift. Sigue los enlaces simb\u00f3licos en esta ubicaci\u00f3n o usa directorios propiedad de los usuarios sin privilegios. Debido a que Timeshift tambi\u00e9n ejecuta scripts bajo esta ubicaci\u00f3n, un atacante puede intentar ganar una condici\u00f3n de carrera para sustituir los scripts creados mediante Timeshift con scripts controlados por el atacante. Tras el \u00e9xito, un script controlado por el atacante es ejecutado con todos los privilegios root. Esta l\u00f3gica es siempre activada pr\u00e1cticamente cuando Timeshift se ejecuta independientemente de los argumentos de l\u00ednea de comando utilizados."}], "id": "CVE-2020-10174", "lastModified": "2023-11-07T03:14:07.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-05T16:15:11.940", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/03/06/3"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1165802"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/teejee2008/timeshift/releases/tag/v20.03"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAOFXT64CEUMJE3723JDJWTEQWQUCYMD/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SXDEPC52G46U6I7GLQNFLZXVSM7V2HYY/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXXYQFSZ5P6ZMNFIDBAQKBFZIR2T7ZLL/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4312-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}