CVE-2020-13776 – systemd: Mishandles numerical usernames beginning with decimal digits or 0x followed by hexadecimal digits
https://notcve.org/view.php?id=CVE-2020-13776
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082. systemd versiones hasta v245 maneja inapropiadamente los nombres de usuario numéricos, tales como los compuestos por dígitos decimales o 0x seguidos de dígitos hexadecimales, como es demostrado por el uso de privilegios root cuando era previsto privilegios de la cuenta de usuario 0x0. NOTA: este problema se presenta debido a una corrección incompleta para CVE-2017-1000082. A flaw was found in systemd, where it mishandles numerical usernames beginning with decimal digits, or "0x" followed by hexadecimal digits. When the usernames are used by systemd, for example in service units, an unexpected user may be used instead. • https://github.com/systemd/systemd/issues/15985 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYGLFEKG45EYBJ7TPQMLWROWPTZBEU63 https://security.netapp.com/advisory/ntap-20200611-0003 https://access.redhat.com/security/cve/CVE-2020-13776 https://bugzilla.redhat.com/show_bug.cgi?id=1845534 • CWE-269: Improper Privilege Management CWE-440: Expected Behavior Violation •