CVE Vulnerabilities

CVE-2021-25630

Improper Privilege Management

Published: Feb 23, 2021 | Modified: Feb 27, 2021
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.2 HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu

loolforkit is a privileged program that is supposed to be run by a special, non-privileged lool user. Before doing anything else loolforkit checks, if it was invoked by the lool user, and refuses to run with privileges, if its not the case. In the vulnerable version of loolforkit this check was wrong, so a normal user could start loolforkit and eventually get local root privileges.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Online Collaboraoffice 6.4.0 *
Online Collaboraoffice 4.2.0 *

Potential Mitigations

References