CVE-2021-25317
Summary
| CVE | CVE-2021-25317 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-05-05 10:15:00 UTC |
| Updated | 2023-11-07 03:31:00 UTC |
| Description | A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. |
Risk And Classification
Problem Types: CWE-276
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Application | Opensuse | Factory | - | All | All | All |
| Operating System | Opensuse | Leap | 15.2 | All | All | All |
| Application | Suse | Cups | All | All | All | All |
| Application | Suse | Cups | All | All | All | All |
| Application | Suse | Cups | All | All | All | All |
| Operating System | Suse | Linux Enterprise Server | 11 | sp4 | All | All |
| Application | Suse | Manager Server | 4.0 | All | All | All |
| Application | Suse | Openstack Cloud Crowbar | 9.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Bug 1184161 – VUL-0: CVE-2021-25317: cups: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks | CONFIRM | bugzilla.suse.com | |
| [SECURITY] Fedora 34 Update: cups-2.3.3op2-5.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 34 Update: cups-2.3.3op2-5.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 32 Update: cups-2.3.3op2-5.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 33 Update: cups-2.3.3op2-5.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 32 Update: cups-2.3.3op2-5.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 33 Update: cups-2.3.3op2-5.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Matthias Gerstner of SUSE
Legacy QID Mappings
- 174968 SUSE Enterprise Linux Security Update for cups (SUSE-SU-2021:1453-1)
- 174969 SUSE Enterprise Linux Security Update for cups (SUSE-SU-2021:1454-1)
- 281230 Fedora Security Update for cups (FEDORA-2021-be95e017e7)
- 281231 Fedora Security Update for cups (FEDORA-2021-7b698513d5)
- 281232 Fedora Security Update for cups (FEDORA-2021-dc578ce534)
- 670480 EulerOS Security Update for cups (EulerOS-SA-2021-2238)
- 670506 EulerOS Security Update for cups (EulerOS-SA-2021-2264)
- 670531 EulerOS Security Update for cups (EulerOS-SA-2021-2289)
- 670566 EulerOS Security Update for cups (EulerOS-SA-2021-2324)
- 670605 EulerOS Security Update for cups (EulerOS-SA-2021-2363)
- 750244 OpenSUSE Security Update for cups (openSUSE-SU-2021:0638-1)