CyberSec.Space Logo
Back to CVE Browser

CVE-2019-18932

HIGH
7.0
CVSS Severity Score
EPSS Score0.1510%
EPSS Percentile40.45th
PublishedJan 21, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By default, it uses a fixed temporary directory /tmp/sarg. As the root user, sarg creates this directory or reuses an existing one in an insecure manner. An attacker can pre-create the directory, and place symlinks in it (after winning a /tmp/sarg/denied.int_unsort race condition). The outcome will be corrupted or newly created files in privileged file system locations.

Affected Platforms (CPE)

πŸ“¦
Squid Analysis Report Generator Project

Squid Analysis Report Generator

<= 2.3.11
πŸ“¦
Opensuse

Backports Sle

= 15.0
πŸ’»
Opensuse

Leap

= 15.1

References & Advisories

πŸ”— http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00051.html
πŸ”— http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00063.html
πŸ”— http://www.openwall.com/lists/oss-security/2020/01/20/6
πŸ”— http://www.openwall.com/lists/oss-security/2020/01/20/6
πŸ”— http://www.openwall.com/lists/oss-security/2020/01/27/1
πŸ”— https://bugzilla.suse.com/show_bug.cgi?id=1150554
πŸ”— https://seclists.org/oss-sec/2020/q1/23
πŸ”— https://security.gentoo.org/glsa/202007-32

Related Vulnerabilities

CVE-2008-116710.0

Stack-based buffer overflow in the useragent function in useragent.c in Squid Analysis Report Generator (Sarg) 2.2.3.1 allows remo...

CVE-2008-72499.3

Buffer overflow in Squid Analysis Report Generator (Sarg) 2.2.3.1, and probably later, allows user-assisted remote attackers to ex...

CVE-2008-11684.3

Cross-site scripting (XSS) vulnerability in Squid Analysis Report Generator (Sarg) 2.2.3.1 allows remote attackers to inject arbit...

CVE-2008-72504.3

Cross-site scripting (XSS) vulnerability in Squid Analysis Report Generator (Sarg) 2.2.4 allows remote attackers to inject arbitra...