CVE-2021-25630

EUVD-2021-12526
"loolforkit" is a privileged program that is supposed to be run by a special, non-privileged "lool" user. Before doing anything else "loolforkit" checks, if it was invoked by the "lool" user, and refuses to run with privileges, if it's not the case. In the vulnerable version of "loolforkit" this check was wrong, so a normal user could start "loolforkit" and eventually get local root privileges.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
collaboraofficeonline
4.2.0 ≤
𝑥
< 4.2.13
collaboraofficeonline
6.4.0 ≤
𝑥
< 6.4.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/CollaboraOnline/online/security/advisories/GHSA-49w3-gr3w-m68v
https://www.openwall.com/lists/oss-security/2021/01/18/3
https://github.com/CollaboraOnline/online/security/advisories/GHSA-49w3-gr3w-m68v
https://www.openwall.com/lists/oss-security/2021/01/18/3