A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1.
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Python-hyperkitty | Python-hyperkitty_project | * | 1.3.2-lp152.2.3.1 (including) |
| Hyperkitty | Ubuntu | bionic | * |
| Hyperkitty | Ubuntu | groovy | * |
| Hyperkitty | Ubuntu | hirsute | * |
| Hyperkitty | Ubuntu | impish | * |
| Hyperkitty | Ubuntu | kinetic | * |
| Hyperkitty | Ubuntu | lunar | * |
| Hyperkitty | Ubuntu | mantic | * |
| Hyperkitty | Ubuntu | trusty | * |
| Hyperkitty | Ubuntu | xenial | * |