Vulnerability Details CVE-2020-24330
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.3%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 7.2
References
- http://www.openwall.com/lists/oss-security/2020/08/14/1
- https://bugzilla.suse.com/show_bug.cgi?id=1164472
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/
- https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch
- https://sourceforge.net/p/trousers/mailman/message/37015817/
- http://www.openwall.com/lists/oss-security/2020/08/14/1
- https://bugzilla.suse.com/show_bug.cgi?id=1164472
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/
- https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch
- https://sourceforge.net/p/trousers/mailman/message/37015817/
Products affected by CVE-2020-24330
-
cpe:2.3:a:trousers_project:trousers:0.2.8
-
cpe:2.3:a:trousers_project:trousers:0.2.9
-
cpe:2.3:a:trousers_project:trousers:0.2.9.1
-
cpe:2.3:a:trousers_project:trousers:0.2.9.2
-
cpe:2.3:a:trousers_project:trousers:0.3.0
-
cpe:2.3:a:trousers_project:trousers:0.3.1
-
cpe:2.3:a:trousers_project:trousers:0.3.10
-
cpe:2.3:a:trousers_project:trousers:0.3.11
-
cpe:2.3:a:trousers_project:trousers:0.3.13
-
cpe:2.3:a:trousers_project:trousers:0.3.14
-
cpe:2.3:a:trousers_project:trousers:0.3.2
-
cpe:2.3:a:trousers_project:trousers:0.3.3
-
cpe:2.3:a:trousers_project:trousers:0.3.4
-
cpe:2.3:a:trousers_project:trousers:0.3.5
-
cpe:2.3:a:trousers_project:trousers:0.3.6
-
cpe:2.3:a:trousers_project:trousers:0.3.7
-
cpe:2.3:a:trousers_project:trousers:0.3.8
-
cpe:2.3:a:trousers_project:trousers:0.3.9
-
cpe:2.3:o:fedoraproject:fedora:33