CVE-2020-13776

EUVD-2020-5993
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.7 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA-ADPADP
6.7 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
systemd_projectsystemd
𝑥
≤ 245
netappactive_iq_unified_manager
-
netappsolidfire_\&_hci_management_node
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
systemd
bookworm
252.30-1~deb12u2
fixed
bullseye
247.3-7+deb11u5
fixed
bullseye (security)
247.3-7+deb11u6
fixed
buster
not-affected
sid
256.7-3
fixed
trixie
256.7-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
systemd
bionic
ignored
eoan
ignored
focal
ignored
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/systemd/systemd/issues/15985
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYGLFEKG45EYBJ7TPQMLWROWPTZBEU63/
https://security.netapp.com/advisory/ntap-20200611-0003/
https://github.com/systemd/systemd/issues/15985
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYGLFEKG45EYBJ7TPQMLWROWPTZBEU63/
https://security.netapp.com/advisory/ntap-20200611-0003/