CVE-2020-12831

EUVD-2020-5113

13.05.2020, 18:15

An issue was discovered in FRRouting FRR (aka Free Range Routing) through 7.3.1. When using the split-config feature, the init script creates an empty config file with world-readable default permissions, leading to a possible information leak via tools/frr.in and tools/frrcommon.sh.in. NOTE: some parties consider this user error, not a vulnerability, because the permissions are under the control of the user before any sensitive information is present in the file

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Affected Products (NVD)

Vendor	Product	Version
linuxfoundation	free_range_routing	𝑥 ≤ 7.3.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

frr

bookworm	unimportant
bookworm (security)	unimportant
bullseye	unimportant
bullseye (security)	unimportant
sid	unimportant
trixie	unimportant

Ubuntu Releases

Ubuntu Product

Codename

frr

bionic	dne
eoan	ignored
focal	not-affected
groovy	ignored
hirsute	ignored
impish	not-affected
jammy	not-affected
trusty	dne
xenial	dne

Known Exploits!

Common Weakness Enumeration

CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1830805

https://github.com/FRRouting/frr/pull/6383

https://bugzilla.redhat.com/show_bug.cgi?id=1830805

https://github.com/FRRouting/frr/pull/6383