Skip to content

Privilege Escalation in fscrypt

Moderate severity GitHub Reviewed Published Jun 23, 2021 to the GitHub Advisory Database • Updated May 20, 2024

Package

gomod github.com/google/fscrypt (Go)

Affected versions

< 0.2.4

Patched versions

0.2.4

Description

The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore primary and supplementary group IDs to the values associated with the root user, which allows attackers to gain privileges via a successful login through certain applications that use Linux-PAM (aka pam).

References

Reviewed May 20, 2021
Published to the GitHub Advisory Database Jun 23, 2021
Last updated May 20, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Weaknesses

No CWEs

CVE ID

CVE-2018-6558

GHSA ID

GHSA-qj26-7grj-whg3

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.