CVE-2023-32182

19.09.2023, 16:15

A Improper Link Resolution Before File Access ('Link Following') vulnerability in SUSE SUSE Linux Enterprise Desktop 15 SP5 postfix, SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 postfix, SUSE openSUSE Leap 15.5 postfix.This issue affects SUSE Linux Enterprise Desktop 15 SP5: before 3.7.3-150500.3.5.1; SUSE Linux Enterprise High Performance Computing 15 SP5: before 3.7.3-150500.3.5.1; openSUSE Leap 15.5 : before 3.7.3-150500.3.5.1.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Affected Products (NVD)

Vendor	Product	Version
opensuse	leap	15.5
suse	linux_enterprise_high_performance_computing	15.0:sp5

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

postfix

bionic	not-affected
focal	not-affected
jammy	not-affected
lunar	not-affected
mantic	not-affected
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

postfix

suse enterprise desktop 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise desktop 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise desktop 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise desktop 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise sap 12 SP5	3.2.10-3.27.2 fixed
suse enterprise sap 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise sap 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise sap 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise sap 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise server 12 SP3	3.2.10-3.27.2 fixed
suse enterprise server 12 SP5	3.2.10-3.27.2 fixed
suse enterprise server 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise server 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise server 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise server 15 SP7	3.8.4-150600.3.3.1 fixed

postfix-bdb

suse enterprise sap 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise sap 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise sap 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise sap 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise server 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise server 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise server 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise server 15 SP7	3.8.4-150600.3.3.1 fixed

postfix-bdb-lmdb

suse enterprise sap 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise sap 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise sap 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise sap 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise server 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise server 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise server 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise server 15 SP7	3.8.4-150600.3.3.1 fixed

postfix-devel

suse enterprise desktop 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise desktop 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise desktop 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise desktop 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise sap 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise sap 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise sap 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise sap 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise server 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise server 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise server 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise server 15 SP7	3.8.4-150600.3.3.1 fixed

postfix-doc

suse enterprise desktop 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise desktop 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise desktop 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise desktop 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise sap 12 SP5	3.2.10-3.27.2 fixed
suse enterprise sap 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise sap 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise sap 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise sap 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise server 12 SP3	3.2.10-3.27.2 fixed
suse enterprise server 12 SP5	3.2.10-3.27.2 fixed
suse enterprise server 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise server 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise server 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise server 15 SP7	3.8.4-150600.3.3.1 fixed

postfix-ldap

suse enterprise desktop 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise desktop 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise desktop 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise desktop 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise sap 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise sap 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise sap 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise sap 15 SP7	3.8.4-150600.3.3.1 fixed
suse enterprise server 15 SP4	3.5.9-150300.5.12.2 fixed
suse enterprise server 15 SP5	3.7.3-150500.3.5.1 fixed
suse enterprise server 15 SP6	3.8.4-150600.1.5 fixed
suse enterprise server 15 SP7	3.8.4-150600.3.3.1 fixed

postfix-mysql

suse enterprise sap 12 SP5	3.2.10-3.27.2 fixed
suse enterprise server 12 SP3	3.2.10-3.27.2 fixed
suse enterprise server 12 SP5	3.2.10-3.27.2 fixed
suse enterprise server 15 SP4	3.5.9-150300.5.12.2 fixed

Known Exploits!

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32182