CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2022-31252 – permissions: chkstat does not check for group-writable parent directories or target files in safeOpen()
https://notcve.org/view.php?id=CVE-2022-31252
A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225. Una vulnerabilidad de autorización incorrecta en chkstat de SUSE Linux Enterprise Server versión 12-SP5; openSUSE Leap versión 15.3, openSUSE Leap versión 15.4, openSUSE Leap Micro versión 5.2, no tenía en cuenta los componentes de la ruta de escritura del grupo, lo que permitía a atacantes locales con acceso a un grupo lo que puede escribir en una ubicación incluida en la ruta de un binario privilegiado para influir en la resolución de la ruta. Este problema afecta a: SUSE Linux Enterprise Server 12-SP5 versiones de permisos anteriores a 20170707. openSUSE Leap 15.3 versiones de permisos anteriores a 20200127. openSUSE Leap 15.4 versiones de permisos anteriores a 20201225. openSUSE Leap Micro 5.2 versiones de permisos anteriores a 20181225 • https://bugzilla.suse.com/show_bug.cgi?id=1203018 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-28321
https://notcve.org/view.php?id=CVE-2022-28321
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream. El paquete Linux-PAM versiones anteriores a 1.5.2-6.1 para openSUSE Tumbleweed, permite omitir la autenticación en los inicios de sesión SSH. • http://download.opensuse.org/source/distribution/openSUSE-current/repo/oss/src https://bugzilla.suse.com/show_bug.cgi?id=1197654 https://www.suse.com/security/cve/CVE-2022-28321.html • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31251 – slurm: %post for slurm-testsuite operates as root in user owned directory
https://notcve.org/view.php?id=CVE-2022-31251
A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3. Una vulnerabilidad de Permisos Incorrectos por Defecto en el empaquetado del testuite slurm de openSUSE Factory permite a atacantes locales con control sobre el usuario slurm escalar a root. Este problema afecta a openSUSE Factory slurm versiones anteriores a 22.05.2-3.3 • https://bugzilla.suse.com/show_bug.cgi?id=1201674 • CWE-276: Incorrect Default Permissions •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2022-21950 – canna: unsafe handling of /tmp/.iroha_unix directory
https://notcve.org/view.php?id=CVE-2022-21950
A Improper Access Control vulnerability in the systemd service of cana in openSUSE Backports SLE-15-SP3, openSUSE Backports SLE-15-SP4 allows local users to hijack the UNIX domain socket This issue affects: openSUSE Backports SLE-15-SP3 canna versions prior to canna-3.7p3-bp153.2.3.1. openSUSE Backports SLE-15-SP4 canna versions prior to 3.7p3-bp154.3.3.1. openSUSE Factory was also affected. Instead of fixing the package it was deleted there. Una vulnerabilidad de Control de Acceso inapropiado en el servicio systemd de cana en openSUSE Backports SLE-15-SP3, openSUSE Backports SLE-15-SP4 permite a usuarios locales secuestrar el socket de dominio UNIX Este problema afecta a: openSUSE Backports SLE-15-SP3 versiones de canna anteriores a canna-3.7p3-bp153.2.3.1. openSUSE Backports SLE-15-SP4 versiones de canna anteriores a 3.7p3-bp154.3.3.1. openSUSE Factory también está afectado. En lugar de arreglar el paquete fue eliminado allí • https://bugzilla.suse.com/show_bug.cgi?id=1199280 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31250 – keylime %post scriplet allows for privilege escalation from keylime user to root
https://notcve.org/view.php?id=CVE-2022-31250
A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to root. This issue affects: openSUSE Tumbleweed keylime versions prior to 6.4.2-1.1. Una vulnerabilidad de UNIX Symbolic Link (Symlink) Following en keylime de openSUSE Tumbleweed permite a atacantes locales escalar desde el usuario keylime a root. Este problema afecta a: openSUSE Tumbleweed keylime versiones anteriores a 6.4.2-1.1 • https://bugzilla.suse.com/show_bug.cgi?id=1200885 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •