Link Resolution Flaw in openSUSE Factory sendmail (pre 8.17.1-1.1)
CVE-2022-31256 Published on October 26, 2022
sendmail: mail to root privilege escalation via sm-client.pre script
A Improper Link Resolution Before File Access ('Link Following') vulnerability in a script called by the sendmail systemd service of openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: SUSE openSUSE Factory sendmail versions prior to 8.17.1-1.1.
Vulnerability Analysis
CVE-2022-31256 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an insecure temporary file Vulnerability?
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CVE-2022-31256 has been classified to as an insecure temporary file vulnerability or weakness.
Products Associated with CVE-2022-31256
Want to know whenever a new CVE is published for OpenSuse Factory? stack.watch will email you.
Affected Versions
openSUSE Factory:- Version sendmail and below 8.17.1-1.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.