How severe is CVE-2021-27851?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.5 out of 10.

What type of vulnerability is CVE-2021-27851?

This is classified as CWE-264, which is a common weakness in software security.

CVE-2021-27851 - MEDIUM Severity | CVSS 5.5

Vulnerability Description

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.

Related Vulnerabilities

CVE-2014-2079

MEDIUM

CVSS:5.5(Medium)

X File Explorer (aka xfe) might allow local users to bypass intended access restrictions and gain access to arbitrary files by leveraging failure to use directory masks when creating files on Samba an...

CWE-2642014

CVE-2015-8621

MEDIUM

CVSS:5.5(Medium)

t-coffee before 11.00.8cbe486-2 allows local users to write to ~/.t_coffee globally.

CWE-2642015

CVE-2016-10187

MEDIUM

CVSS:5.5(Medium)

The E-book viewer in calibre before 2.75 allows remote attackers to read arbitrary files via a crafted epub file with JavaScript.

CWE-2642016

CVE-2016-2202

MEDIUM

CVSS:5.5(Medium)

The Inventory Solution component in the Management Agent in the client in Symantec Altiris IT Management Suite (ITMS) through 7.6 HF7 allows local users to bypass intended application-blacklist restri...

CWE-2642016

CVE-2016-2457

MEDIUM

CVSS:5.5(Medium)

server/pm/UserManagerService.java in Wi-Fi in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 allows attackers to bypass intended restrictions on Wi-Fi configuration changes ...

CWE-2642016

CVE-2016-2809

MEDIUM

CVSS:5.5(Medium)

The Mozilla Maintenance Service updater in Mozilla Firefox before 46.0 on Windows allows user-assisted remote attackers to delete arbitrary files by leveraging certain local file execution.

CWE-2642016