Unrated severityNVD Advisory· Published Oct 6, 2022· Updated Sep 16, 2024

permissions: chkstat does not check for group-writable parent directories or target files in safeOpen()

CVE-2022-31252

Description

A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

SUSE S.A./chkstatllm-create
SUSE S.A./permissionsllm-fuzzy
osv-coords10 versions
pkg:rpm/opensuse/permissions&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/permissions&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/permissions&distro=openSUSE%20Leap%20Micro%205.2 pkg:rpm/opensuse/permissions&distro=openSUSE%20Tumbleweed pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Micro%205.1 pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3 pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/permissions&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 20181225-150200.23.15.1+ 9 more
- (no CPE)range: < 20181225-150200.23.15.1
- (no CPE)range: < 20201225-150400.5.11.1
- (no CPE)range: < 20181225-150200.23.15.1
- (no CPE)range: < 1599_20220912-1.1
- (no CPE)range: < 20181225-150200.23.15.1
- (no CPE)range: < 20181225-150200.23.15.1
- (no CPE)range: < 20181225-150200.23.15.1
- (no CPE)range: < 20201225-150400.5.11.1
- (no CPE)range: < 20170707-6.10.1
- (no CPE)range: < 20170707-6.10.1
openSUSE/openSUSE Leap 15.3v5
Range: permissions
openSUSE/openSUSE Leap 15.4v5
Range: permissions
openSUSE/openSUSE Leap Micro 5.2v5
Range: permissions
SUSE S.A./Linux Enterprise Servercpe-rescue
Range: permissions

Patches

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

bugzilla.suse.com/show_bug.cgimitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000