CVE-2021-25317

Published on: 05/05/2021 12:00:00 AM UTC

Last Modified on: 01/19/2023 01:15:00 PM UTC

CVE-2021-25317 - advisory for https://bugzilla.suse.com/show_bug.cgi?id=1184161

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Certain versions of Fedora from Fedoraproject contain the following vulnerability:

A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions.

CVE-2021-25317 has been assigned by [email protected] to track the vulnerability - currently rated as LOW severity.
Affected Vendor/Software: SUSE - SUSE Linux Enterprise Server 11-SP4-LTSS version < 1.3.9
Affected Vendor/Software: SUSE - SUSE Manager Server 4.0 version < 2.2.7
Affected Vendor/Software: SUSE - SUSE OpenStack Cloud Crowbar 9 version < 1.7.5
Affected Vendor/Software: openSUSE - openSUSE Leap 15.2 version < 2.2.7
Affected Vendor/Software: openSUSE - Factory version <= 2.3.3op2-2.1

CVSS3 Score: 3.3 - LOW

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
LOCAL	LOW	LOW	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	NONE	LOW	NONE

CVSS2 Score: 2.1 - LOW

Access Vector^ⓘ	Access Complexity	Authentication
LOCAL	LOW	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
NONE	PARTIAL	NONE

CVE References

Description	Tags ^ⓘ	Link
Bug 1184161 – VUL-0: CVE-2021-25317: cups: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks	bugzilla.suse.com text/html	CONFIRM bugzilla.suse.com/show_bug.cgi?id=1184161
[SECURITY] Fedora 34 Update: cups-2.3.3op2-5.fc34 - package-announce - Fedora Mailing-Lists	lists.fedoraproject.org text/html	FEDORA FEDORA-2021-dc578ce534
[SECURITY] Fedora 32 Update: cups-2.3.3op2-5.fc32 - package-announce - Fedora Mailing-Lists	lists.fedoraproject.org text/html	FEDORA FEDORA-2021-be95e017e7
[SECURITY] Fedora 33 Update: cups-2.3.3op2-5.fc33 - package-announce - Fedora Mailing-Lists	lists.fedoraproject.org text/html	FEDORA FEDORA-2021-7b698513d5

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

174968 SUSE Enterprise Linux Security Update for cups (SUSE-SU-2021:1453-1)
174969 SUSE Enterprise Linux Security Update for cups (SUSE-SU-2021:1454-1)
281230 Fedora Security Update for cups (FEDORA-2021-be95e017e7)
281231 Fedora Security Update for cups (FEDORA-2021-7b698513d5)
281232 Fedora Security Update for cups (FEDORA-2021-dc578ce534)
670480 EulerOS Security Update for cups (EulerOS-SA-2021-2238)
670506 EulerOS Security Update for cups (EulerOS-SA-2021-2264)
670531 EulerOS Security Update for cups (EulerOS-SA-2021-2289)
670566 EulerOS Security Update for cups (EulerOS-SA-2021-2324)
670605 EulerOS Security Update for cups (EulerOS-SA-2021-2363)
750244 OpenSUSE Security Update for cups (openSUSE-SU-2021:0638-1)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Application	Opensuse	Factory	-	All	All	All
Operating System	Opensuse	Leap	15.2	All	All	All
Application	Suse	Cups	All	All	All	All
Application	Suse	Cups	All	All	All	All
Application	Suse	Cups	All	All	All	All
Operating System	Suse	Linux Enterprise Server	11	sp4	All	All
Application	Suse	Manager Server	4.0	All	All	All
Application	Suse	Openstack Cloud Crowbar	9.0	All	All	All

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*:
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*:
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
cpe:2.3:a:opensuse:factory:-:*:*:*:*:*:*:*:
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*:
cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*:
cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*:
cpe:2.3:a:suse:cups:*:*:*:*:*:*:*:*:
cpe:2.3:o:suse:linux_enterprise_server:11:sp4:*:*:ltss:*:*:*:
cpe:2.3:a:suse:manager_server:4.0:*:*:*:*:*:*:*:
cpe:2.3:a:suse:openstack_cloud_crowbar:9.0:*:*:*:*:*:*:*:

Discovery Credit

Matthias Gerstner of SUSE

Social Mentions

Source	Title	Posted (UTC)
/r/netcve	CVE-2021-25317	2021-05-05 10:41:44