A vulnerability was found in SuSE Linux Enterprise Server 12/15 (Operating System). It has been classified as critical. This affects an unknown function of the component MariaDB. The manipulation with an unknown input leads to a symlink vulnerability. CWE is classifying the issue as CWE-61. The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Linux Enterprise Server 12 mariadb versions prior to 10.2.31-3.25.1. SUSE Linux Enterprise Server 15 mariadb versions prior to 10.2.31-3.26.1.

The weakness was released 03/02/2020 as Bug 1160895 as not defined bug report (Bugzilla). The advisory is shared at bugzilla.suse.com. This vulnerability is uniquely identified as CVE-2019-18901 since 11/12/2019. An attack has to be approached locally. The successful exploitation requires a authentication. Neither technical details nor an exploit are publicly available.

Applying a patch is able to eliminate this problem.

Entries connected to this vulnerability are available at 150803, 150802 and 150800.

Productinfo

Type

• Operating System

Vendor

• SuSE

Name

• Linux Enterprise Server

Version

• 12
• 15

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion