CVE-2020-21583
Published: 22 August 2023
An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.
Notes
| Author | Note |
|---|---|
Priority reason: Non-default and improbable configuration |
|
| mdeslaur | This is only an issue when hwclock was modified by the administrator to be setuid root, which should never be done. Ubuntu packages are not shipped with the setuid bit set. To prevent misconfiguration, version 2.27 now prevent it from being run setuid. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
util-linux Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Not vulnerable
|
|
| mantic |
Not vulnerable
|
|
| noble |
Not vulnerable
|
|
| trusty |
Needed
|
|
| upstream |
Released
(2.27)
|
|
| xenial |
Not vulnerable
(2.27.1-6ubuntu3)
|
|
|
Patches: upstream: https://github.com/util-linux/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.7 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |