Vulnerabilities > CVE-2019-15900 - Use of Uninitialized Resource vulnerability in Doas Project Doas

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

doas-project

CWE-908

critical

NVD

Published: 2019-10-18

Updated: 2024-02-16

Summary

An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. On platforms without strtonum(3), sscanf was used without checking for error cases. Instead, the uninitialized variable errstr was checked and in some cases returned success even if sscanf failed. The result was that, instead of reporting that the supplied username or group name did not exist, it would execute the command as root.

Vulnerable Configurations

Part	Description	Count
Application	Doas_Project Doas Project Doas 5.6-3 Doas Project Doas 5.9 Doas Project Doas 5.9-1 Doas Project Doas 5.9-2 Doas Project Doas 5.9-4 Doas Project Doas 5.9-5 Doas Project Doas 5.9-6 Doas Project Doas 5.9-7 Doas Project Doas 6.0 Doas Project Doas 6.0-0 Doas Project Doas 6.0-1 Doas Project Doas 6.1	18

Common Weakness Enumeration (CWE)

CWE-908 - Use of Uninitialized Resource

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References