1. Home
  2. Vulnerabilities
  3. CVE-2020-28374

CVE-2020-28374

CVSS v3.1 8.1 (High)
81% Progress
CVSS v2.0 5.5 (Medium)
55% Progress
EPSS 0.38 % (73th)
0.38% Progress
Affected Products 3
Advisories 64
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.

Weaknesses
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Related CVEs
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2021-01-13 04:15:12
(3 years ago)
Updated Date
2023-11-07 03:21:21
(10 months ago)

Affected Products

Debian

Fedoraproject

Linux

Configuration #1

    CPE23 From Up To
  Linux Kernel prior 5.10.7 version cpe:2.3:o:linux:linux_kernel < 5.10.7

Configuration #2

    CPE23 From Up To
  Fedoraproject Fedora 32 cpe:2.3:o:fedoraproject:fedora:32
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33

Configuration #3

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0