QwikSec

Security Database

CVE

CWE

Training

CVE-2019-18932

Published: Jan 21, 2020

Modified: Aug 5, 2024

PUBLISHED

Description

log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By default, it uses a fixed temporary directory /tmp/sarg. As the root user, sarg creates this directory or reuses an existing one in an insecure manner. An attacker can pre-create the directory, and place symlinks in it (after winning a /tmp/sarg/denied.int_unsort race condition). The outcome will be corrupted or newly created files in privileged file system locations.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://bugzilla.suse.com/show_bug.cgi?id=1150554

x_refsource_MISC

https://sourceforge.net/projects/sarg/

x_refsource_MISC

[oss-security] 20200120 CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector

mailing-list

x_refsource_MLIST

http://www.openwall.com/lists/oss-security/2020/01/20/6

x_refsource_MISC

[oss-security] CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector

mailing-list

x_refsource_MLIST

[oss-security] 20200127 Re: CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector

mailing-list

x_refsource_MLIST

openSUSE-SU-2020:0117

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2020:0140

vendor-advisory

x_refsource_SUSE

vendor-advisory

x_refsource_GENTOO

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.