Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.3
CVSSv2

CVE-2020-7040

Published: 21/01/2020 Updated: 27/01/2023
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 828
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Storebackup

Vulnerability Summary

storeBackup.pl in storeBackup up to and including 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation. (Local users can also create a plain file named /tmp/storeBackup.lock to block use of storeBackup until an admin manually deletes that file.)

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

storebackup storebackup

debian debian linux 8.0

opensuse leap 15.1

opensuse backports sle 15.0

canonical ubuntu linux 18.04

canonical ubuntu linux 20.04

canonical ubuntu linux 16.04

Vendor Advisories

Debian CVElist Bug Report Logs: storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock
Debian Bug report logs - #949393 storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackuplock Package: src:storebackup; Maintainer for src:storebackup is Ryan Niebur <ryan@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 20 Jan 2020 ...

Mailing Lists

Full Disclosure: Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackuplock <!-- ...
Full Disclosure: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackuplock <!--X-Su ...
Full Disclosure: Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackuplock <!-- ...

References

CWE-59https://seclists.org/oss-sec/2020/q1/20http://www.openwall.com/lists/oss-security/2020/01/20/3https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-7040http://www.openwall.com/lists/oss-security/2020/01/21/2http://www.openwall.com/lists/oss-security/2020/01/22/2http://www.openwall.com/lists/oss-security/2020/01/22/3http://www.openwall.com/lists/oss-security/2020/01/23/1http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00054.htmlhttps://lists.debian.org/debian-lts-announce/2020/02/msg00003.htmlhttps://usn.ubuntu.com/4508-1/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949393https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322CVE-2006-4304wirelessCVE-2023-23022local file inclusionCVE-2024-27058CVE-2024-33820open redirectCVE-2024-27079
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook