On affected installations, remote attackers could leverage the vulnerability to execute arbitrary code with root privileges. To exploit the issue, an attacker would have to convince a user to open a specially crafted website, which would lead to the compromise of the affected system. End users are advised to be cautious when downloading and installing software on the Internet. Mitigation The affected code has been patched, and davs2 v1.6.205 has been upgraded to v1.6.206.
CVE-2018-17621: Local privilege escalation through insecure handling of user input in the get_perm_field() function in source/permissions/permissions.c at davs2 v1.6.206 was discovered to be exploitable through insecure handling of user input. A local attacker could leverage this vulnerability to escalate privileges to root on the affected system. End users are advised to be cautious when accepting input from untrusted sources. Mitigation The vulnerable code has been patched. davs2 v1.6.206 has been upgraded to v1.6.207.
CVE-2018-17620: Local privilege escalation through insecure handling of user input in the set_perm_field() function in source/permissions/permissions.c at davs2 v1.6.206 was discovered to be exploitable through insecure handling of user input. A local attacker could leverage this vulnerability to escalate privileges to root on the affected system. End users
davs2 Vulnerability overview
In the sections below, we will dive into the specifics of each vulnerability.
CVE-2018-17621: Local privilege escalation through insecure handling of user input in the get_perm_field() function in source/permissions/permissions.c at davs2 v1.6.206 was discovered to be exploitable through insecure handling of user input. A local attacker could leverage this vulnerability to escalate privileges to root on the affected system. End users are advised to be cautious when accepting input from untrusted sources. Mitigation The vulnerable code has been patched. davs2 v1.6.206 has been upgraded to v1.6.207.
davs2 v1.6.205 has been upgraded to v1.6.206
A remote attacker could leverage this vulnerability to exploit the system by convincing a user to open a specially crafted website that would allow the attacker to compromise the system. The updated davs2 v1.6.206 is not vulnerable and has been deployed across our entire platform.
Software Information
Software Information:
Version: 1.6.205
Release Date: Jan 15, 2018
Vulnerability: CVE-2018-17621 and CVE-2018-17620
Timeline
Published on: 09/02/2022 22:15:00 UTC
Last modified on: 09/08/2022 03:28:00 UTC