CVE-2021-25630 Information

Description

\loolforkit\ is a privileged program that is supposed to be run by a special non-privileged \lool\ user. Before doing anything else \loolforkit\ checks if it was invoked by the \lool\ user and refuses to run with privileges if it’s not the case. In the vulnerable version of \loolforkit\ this check was wrong so a normal user could start \loolforkit\ and eventually get local root privileges.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.openwall.com/lists/oss-security/2021/01/18/3 https://github.com/CollaboraOnline/online/security/advisories/GHSA-49w3-gr3w-m68v

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8