// For flags

CVE-2020-8017

race condition on texlive-filesystem cron job allows for the deletion of unintended files

Severity Score

6.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A Race Condition Enabling Link Following vulnerability in the cron job shipped with texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local users in group mktex to delete arbitrary files on the system This issue affects: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 texlive-filesystem versions prior to 2017.135-9.5.1. SUSE Linux Enterprise Software Development Kit 12-SP4 texlive-filesystem versions prior to 2013.74-16.5.1. SUSE Linux Enterprise Software Development Kit 12-SP5 texlive-filesystem versions prior to 2013.74-16.5.1. openSUSE Leap 15.1 texlive-filesystem versions prior to 2017.135-lp151.8.3.1.

Una vulnerabilidad de CondiciĆ³n de Carrera habilitando un Seguimiento de Enlace en el trabajo de cron enviado con texlive-filesystem del SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1, permite a usuarios locales en el grupo mktex eliminar archivos arbitrarios sobre el sistema. Este problema afecta: texlive-filesystem de SUSE Linux Enterprise Module for Desktop Applications 15-SP1 versiones anteriores a 2017.135-9.5.1. texlive-filesystem de SUSE Linux Enterprise Software Development Kit 12-SP4 versiones anteriores a 2013.74-16.5.1. texlive-filesystem de SUSE Linux Enterprise Software Development Kit 12-SP5 versiones anteriores a 2013.74-16.5.1. texlive-filesystem de openSUSE Leap 15.1 versiones anteriores a 2017.135-lp151.8.3.1.

*Credits: Matthias Gerstner of SUSE
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-27 CVE Reserved
  • 2020-04-02 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Opensuse
Search vendor "Opensuse"
Texlive-filesystem
Search vendor "Opensuse" for product "Texlive-filesystem"
< 2017.135-9.5.1
Search vendor "Opensuse" for product "Texlive-filesystem" and version " < 2017.135-9.5.1"
-
Affected
in Suse
Search vendor "Suse"
Linux Enterprise Desktop
Search vendor "Suse" for product "Linux Enterprise Desktop"
15
Search vendor "Suse" for product "Linux Enterprise Desktop" and version "15"
sp1
Safe
Opensuse
Search vendor "Opensuse"
Texlive-filesystem
Search vendor "Opensuse" for product "Texlive-filesystem"
< 2013.74-16.5.1
Search vendor "Opensuse" for product "Texlive-filesystem" and version " < 2013.74-16.5.1"
-
Affected
in Suse
Search vendor "Suse"
Linux Enterprise Software Development Kit
Search vendor "Suse" for product "Linux Enterprise Software Development Kit"
12
Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "12"
sp4
Safe
Opensuse
Search vendor "Opensuse"
Texlive-filesystem
Search vendor "Opensuse" for product "Texlive-filesystem"
< 2013.74-16.5.1
Search vendor "Opensuse" for product "Texlive-filesystem" and version " < 2013.74-16.5.1"
-
Affected
in Suse
Search vendor "Suse"
Linux Enterprise Software Development Kit
Search vendor "Suse" for product "Linux Enterprise Software Development Kit"
12
Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "12"
sp5
Safe
Opensuse
Search vendor "Opensuse"
Texlive-filesystem
Search vendor "Opensuse" for product "Texlive-filesystem"
--
Affected
in Suse
Search vendor "Suse"
Linux Enterprise Desktop
Search vendor "Suse" for product "Linux Enterprise Desktop"
15
Search vendor "Suse" for product "Linux Enterprise Desktop" and version "15"
-
Safe
Opensuse
Search vendor "Opensuse"
Texlive-filesystem
Search vendor "Opensuse" for product "Texlive-filesystem"
< 2017.135-lp151.8.3.1
Search vendor "Opensuse" for product "Texlive-filesystem" and version " < 2017.135-lp151.8.3.1"
-
Affected
in Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Safe
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Affected