CVE-2017-9286

EUVD-2017-18222
The packaging of NextCloud in openSUSE used /srv/www/htdocs in an unsafe manner, which could have allowed scripts running as wwwrun user to escalate privileges to root during nextcloud package upgrade.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
microfocusCNA
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
Affected Products (NVD)
VendorProductVersion
opensuseleap
42.3
𝑥
= Vulnerable software versions
References
https://bugzilla.suse.com/show_bug.cgi?id=1036756
https://lists.opensuse.org/opensuse-updates/2017-10/msg00010.html
https://www.suse.com/de-de/security/cve/CVE-2017-9286/
https://bugzilla.suse.com/show_bug.cgi?id=1036756
https://lists.opensuse.org/opensuse-updates/2017-10/msg00010.html
https://www.suse.com/de-de/security/cve/CVE-2017-9286/