CVE-2024-5742 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-5742 at MITRE

Description

A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
	SUSE
Base Score	6.3
Vector	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector	Local
Attack Complexity	High
Privileges Required	High
User Interaction	Required
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1226099 [IN_PROGRESS]

SUSE Security Advisories:

openSUSE-SU-2024:0157-1, published Wed Jun 12 00:49:10 2024

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 15 SP5	`nano >= 7.2-bp155.2.3.1` `nano-lang >= 7.2-bp155.2.3.1`	Patchnames: openSUSE-2024-157
SUSE Package Hub 15 SP6	`nano >= 7.2-bp156.3.3.1` `nano-lang >= 7.2-bp156.3.3.1`	Patchnames: openSUSE-2024-157
openSUSE Leap 15.5	`nano >= 7.2-bp155.2.3.1` `nano-lang >= 7.2-bp155.2.3.1`	Patchnames: openSUSE-2024-157
openSUSE Leap 15.6	`nano >= 7.2-bp156.3.3.1` `nano-lang >= 7.2-bp156.3.3.1`	Patchnames: openSUSE-2024-157
openSUSE Tumbleweed	`nano >= 8.0-2.1` `nano-lang >= 8.0-2.1`	Patchnames: openSUSE-Tumbleweed-2024-14034

SUSE Timeline for this CVE

CVE page created: Fri Jun 7 16:00:02 2024
CVE page last modified: Sun Jun 16 03:05:07 2024