CVE-2021-25630
Summary
| CVE | CVE-2021-25630 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-02-23 16:15:00 UTC |
| Updated | 2021-02-27 03:04:00 UTC |
| Description | "loolforkit" is a privileged program that is supposed to be run by a special, non-privileged "lool" user. Before doing anything else "loolforkit" checks, if it was invoked by the "lool" user, and refuses to run with privileges, if it's not the case. In the vulnerable version of "loolforkit" this check was wrong, so a normal user could start "loolforkit" and eventually get local root privileges. |
Risk And Classification
Problem Types: CWE-269
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Collaboraoffice | Online | All | All | All | All |
| Application | Collaboraoffice | Online | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| oss-security - libreoffice-online "loolforkit" privileged program local root exploit | MISC | www.openwall.com | Mailing List, Third Party Advisory |
| CVE-2021-25630: "loolforkit" privileged program local root exploit · Advisory · CollaboraOnline/online · GitHub | MISC | github.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Thanks to Matthias Gerstner (SUSE) for raising the issue.
There are currently no legacy QID mappings associated with this CVE.