CVE-2020-25582

Description

In FreeBSD 12.2-STABLE before r369334, 11.4-STABLE before r369335, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 when a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.

Related CPE's

o freebsd freebsd 11.4 -******

o freebsd freebsd 11.4 p1 ******

o freebsd freebsd 11.4 p2 ******

o freebsd freebsd 11.4 p3 ******

o freebsd freebsd 11.4 p4 ******

o freebsd freebsd 11.4 p5 ******

o freebsd freebsd 11.4 p6 ******

o freebsd freebsd 11.4 p7 ******

o freebsd freebsd 12.2 -******

o freebsd freebsd 12.2 p1 ******

References

https://security.FreeBSD.org/advisories/FreeBSD-SA-21:05.jail_chdir.asc

Vendor Advisory

CvssV3 impact

BaseSeverity	HIGH
ConfidentialityImpact	HIGH
AttackComplexity	LOW
Scope	CHANGED
AttackVector	NETWORK
AvailabilityImpact	NONE
IntegrityImpact	HIGH
PrivilegesRequired	HIGH
BaseScore	8.7
VectorString	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Version	3.1
UserInteraction	NONE

CvssV2 impact

AccessComplexity	LOW
ConfidentialityImpact	COMPLETE
AvailabilityImpact	NONE
IntegrityImpact	COMPLETE
BaseScore	8.5
VectorString	AV:N/AC:L/Au:S/C:C/I:C/A:N
Version	2.0
AccessVector	NETWORK
Authentication	SINGLE