pkg_postinst in the Gentoo ebuild for Slurm through 22.05.3 unnecessarily calls chown to assign root's ownership on files in the live root filesystem. This could be exploited by the slurm user to become the owner of root-owned files.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGentoo Ebuild For Slurm
APPGentoo≤ 22.05.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Related vulnerabilities
CVE-2024-12084CRITICAL9.8PL ✓ten sam vendor
Heap-based buffer overflow w rsync daemon — zapis poza granicami bufora sum2
CVE-2016-20021CRITICAL9.8PL ✓ten sam vendor
Brak weryfikacji podpisu PGP w Gentoo Portage emerge-webrsync
CVE-2023-28424CRITICAL9.1ten sam vendor
Soko if the code that powers packages.gentoo.org. Prior to version 1.0.2, the two package search handlers, `Se...
CVE-2024-12085HIGH7.5ten sam vendor
A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an att...
CVE-2023-26033HIGH7.5ten sam vendor
Gentoo soko is the code that powers packages.gentoo.org. Versions prior to 1.0.1 are vulnerable to SQL Injecti...