CVE-2021-32000 - OpenCVE

A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary files. This issue affects: SUSE Linux Enterprise Server 12 SP3 clone-master-clean-up version 1.6-4.6.1 and prior versions. SUSE Linux Enterprise Server 15 SP1 clone-master-clean-up version 1.6-3.9.1 and prior versions. openSUSE Factory clone-master-clean-up version 1.6-1.4 and prior versions.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:N/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Suse	Linux Enterprise Server Opensuse Factory

Configuration 1 [-]

OR	cpe:2.3:o:suse:linux_enterprise_server:12:sp3:::-:-::
	cpe:2.3:o:suse:linux_enterprise_server:15:sp1:::-:-::
	cpe:2.3:o:suse:opensuse_factory:-:::::::*

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1181050	Exploit Issue Tracking Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: suse

Published: 2021-07-08T00:00:00

Updated: 2022-10-13T00:00:00

Reserved: 2021-05-03T00:00:00

Link: CVE-2021-32000

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-07-28T10:15:07.943

Modified: 2023-06-21T15:19:13.533

Link: CVE-2021-32000

JSON object: View

Redhat Information

No data.

CWE

CWE-59

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-32000", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "datePublished": "2021-07-08T00:00:00", "dateUpdated": "2022-10-13T00:00:00", "dateReserved": "2021-05-03T00:00:00"}, "containers": {"cna": {"title": "clone-master-clean-up: dangerous file system operations", "datePublic": "2021-07-08T00:00:00", "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2022-10-13T00:00:00"}, "descriptions": [{"lang": "en", "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary files. This issue affects: SUSE Linux Enterprise Server 12 SP3 clone-master-clean-up version 1.6-4.6.1 and prior versions. SUSE Linux Enterprise Server 15 SP1 clone-master-clean-up version 1.6-3.9.1 and prior versions. openSUSE Factory clone-master-clean-up version 1.6-1.4 and prior versions."}], "affected": [{"vendor": "SUSE", "product": "SUSE Linux Enterprise Server 12 SP3", "versions": [{"version": "clone-master-clean-up", "status": "affected", "lessThanOrEqual": "1.6-4.6.1", "versionType": "custom"}]}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Server 15 SP1", "versions": [{"version": "clone-master-clean-up", "status": "affected", "lessThanOrEqual": "1.6-3.9.1", "versionType": "custom"}]}, {"vendor": "openSUSE", "product": "Factory", "versions": [{"version": "clone-master-clean-up", "status": "affected", "lessThanOrEqual": "1.6-1.4", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1181050"}], "credits": [{"lang": "en", "value": "Matthias Gerstner of SUSE"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 3.2, "baseSeverity": "LOW"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Improper Link Resolution Before File Access ('Link Following')"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1181050", "defect": ["1181050"], "discovery": "INTERNAL"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:-:-:*:*", "matchCriteriaId": "47FB0003-EFE7-4E9A-8772-27576A771884", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:linux_enterprise_server:15:sp1:*:*:-:-:*:*", "matchCriteriaId": "60EF8A73-A078-49A9-8FDE-4B7F74B2E17B", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:opensuse_factory:-:*:*:*:*:*:*:*", "matchCriteriaId": "64D9A5D6-4B12-4B25-ACD2-560C864B6FE1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary files. This issue affects: SUSE Linux Enterprise Server 12 SP3 clone-master-clean-up version 1.6-4.6.1 and prior versions. SUSE Linux Enterprise Server 15 SP1 clone-master-clean-up version 1.6-3.9.1 and prior versions. openSUSE Factory clone-master-clean-up version 1.6-1.4 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de seguimiento de enlaces simb\u00f3licos UNIX (Symlink) en el script clone-master-clean-up.sh de clone-master-clean-up en SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory permite a los atacantes locales eliminar archivos arbitrarios. Este problema afecta a: SUSE Linux Enterprise Server 12 SP3 clone-master-clean-up versi\u00f3n 1.6-4.6.1 y versiones anteriores. SUSE Linux Enterprise Server 15 SP1 clone-master-clean-up versi\u00f3n 1.6-3.9.1 y versiones anteriores. openSUSE Factory clone-master-clean-up versi\u00f3n 1.6-1.4 y versiones anteriores"}], "id": "CVE-2021-32000", "lastModified": "2023-06-21T15:19:13.533", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.6, "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 9.2, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 2.5, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2021-07-28T10:15:07.943", "references": [{"source": "meissner@suse.de", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1181050"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}