CVE-2020-5253 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.9 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
GitHub_M	CNA	3.9 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Affected Products (NVD)

Vendor	Product	Version
nethack	nethack	𝑥 < 3.6.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

nethack

bookworm	3.6.6-3 fixed
bullseye	3.6.6-2 fixed
sid	3.6.7-1 fixed
trixie	3.6.7-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

nethack

bionic	not-affected
eoan	not-affected
focal	not-affected
groovy	not-affected
hirsute	not-affected
impish	not-affected
jammy	not-affected
kinetic	not-affected
lunar	not-affected
mantic	not-affected
noble	not-affected
trusty	dne
xenial	needed

Common Weakness Enumeration

CWE-184 - Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.
CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://github.com/NetHack/NetHack/commits/612755bfb5c412079795c68ba392df5d93874ed8

https://github.com/NetHack/NetHack/security/advisories/GHSA-2c7p-3fj4-223m

https://github.com/NetHack/NetHack/commits/612755bfb5c412079795c68ba392df5d93874ed8

https://github.com/NetHack/NetHack/security/advisories/GHSA-2c7p-3fj4-223m