Vulnerability Details CVE-2019-15901
An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. A setusercontext(3) call with flags to change the UID, primary GID, and secondary GIDs was replaced (on certain platforms: Linux and possibly NetBSD) with a single setuid(2) call. This resulted in neither changing the group id nor initializing secondary group ids.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.8%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 9.0
References
- https://github.com/slicer69/doas/commit/6cf0236184ff6304bf5e267ccf7ef02874069697
- https://github.com/slicer69/doas/compare/6.1p1...6.2
- https://github.com/slicer69/doas/pull/23
- https://github.com/slicer69/doas/commit/6cf0236184ff6304bf5e267ccf7ef02874069697
- https://github.com/slicer69/doas/compare/6.1p1...6.2
- https://github.com/slicer69/doas/pull/23
Products affected by CVE-2019-15901
-
cpe:2.3:a:doas_project:doas:5.6-3
-
cpe:2.3:a:doas_project:doas:5.9
-
cpe:2.3:a:doas_project:doas:5.9-1
-
cpe:2.3:a:doas_project:doas:5.9-2
-
cpe:2.3:a:doas_project:doas:5.9-4
-
cpe:2.3:a:doas_project:doas:5.9-5
-
cpe:2.3:a:doas_project:doas:5.9-6
-
cpe:2.3:a:doas_project:doas:5.9-7
-
cpe:2.3:a:doas_project:doas:6.0
-
cpe:2.3:a:doas_project:doas:6.0-0
-
cpe:2.3:a:doas_project:doas:6.0-1
-
cpe:2.3:a:doas_project:doas:6.1
-
cpe:2.3:o:linux:linux_kernel:-