A vulnerability has been found in openSUSE Leap 15.1 and classified as critical. Affected by this vulnerability is some unknown processing of the component privoxy. The manipulation with an unknown input leads to a symlink vulnerability. The CWE definition for the vulnerability is CWE-61. The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of privoxy on openSUSE Leap 15.1, Factory allows local attackers to escalate from user privoxy to root. This issue affects: openSUSE Leap 15.1 privoxy version 3.0.28-lp151.1.1 and prior versions. openSUSE Factory privoxy version 3.0.28-2.1 and prior versions.

The weakness was presented 01/24/2020 as Bug 1157449 as confirmed bug report (Bugzilla). It is possible to read the advisory at bugzilla.suse.com. This vulnerability is known as CVE-2019-3699 since 01/03/2019. Attacking locally is a requirement. Required for exploitation is a single authentication. The technical details are unknown and an exploit is not publicly available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

See VDB-149322 for similar entry.

Productinfo

Vendor

• openSUSE

Name

• Leap

Version

• 15.1

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion