{"containers":{"cna":{"affected":[{"product":"Linux kernel","vendor":"Linux kernel","versions":[{"lessThan":"5.11.0","status":"affected","version":"5.11-stable","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Giuseppe Scrivano"}],"datePublic":"2020-10-13T00:00:00.000Z","descriptions":[{"lang":"en","value":"Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef (\"ovl: stack file ops\"). This was fixed in kernel version 5.8 by commits 56230d9 (\"ovl: verify permissions in ovl_path_open()\"), 48bd024 (\"ovl: switch to mounter creds in readdir\") and 05acefb (\"ovl: check permission to open real file\"). Additionally, commits 130fdbc (\"ovl: pass correct flags for opening real directory\") and 292f902 (\"ovl: call secutiry hook in ovl_real_ioctl()\") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da (\"ovl: do not fail because of O_NOATIMEi\") in kernel 5.11."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.1,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-266","description":"CWE-266 Incorrect Privilege Assignment","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2021-02-10T19:45:26.000Z","orgId":"cc1ad9ee-3454-478d-9317-d3e869d708bc","shortName":"canonical"},"references":[{"tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://ubuntu.com/USN-4576-1"},{"tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://ubuntu.com/USN-4577-1"},{"tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://ubuntu.com/USN-4578-1"},{"tags":["x_refsource_CONFIRM"],"url":"https://www.openwall.com/lists/oss-security/2020/10/14/2"},{"tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://launchpad.net/bugs/1894980"},{"tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://launchpad.net/bugs/1900141"},{"tags":["x_refsource_CONFIRM"],"url":"https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d"},{"tags":["x_refsource_CONFIRM"],"url":"https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f"},{"tags":["x_refsource_CONFIRM"],"url":"https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8"},{"tags":["x_refsource_CONFIRM"],"url":"https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52"},{"tags":["x_refsource_CONFIRM"],"url":"https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84"}],"source":{"advisory":"https://ubuntu.com/USN-4576-1","defect":["https://launchpad.net/bugs/1894980"],"discovery":"EXTERNAL"},"title":"Unprivileged overlay + shiftfs read access","x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"AKA":"","ASSIGNER":"security@ubuntu.com","DATE_PUBLIC":"2020-10-13T16:00:00.000Z","ID":"CVE-2020-16120","STATE":"PUBLIC","TITLE":"Unprivileged overlay + shiftfs read access"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Linux kernel","version":{"version_data":[{"platform":"","version_affected":"<","version_name":"5.11-stable","version_value":"5.11.0"}]}}]},"vendor_name":"Linux kernel"}]}},"configuration":[],"credit":[{"lang":"eng","value":"Giuseppe Scrivano"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef (\"ovl: stack file ops\"). This was fixed in kernel version 5.8 by commits 56230d9 (\"ovl: verify permissions in ovl_path_open()\"), 48bd024 (\"ovl: switch to mounter creds in readdir\") and 05acefb (\"ovl: check permission to open real file\"). Additionally, commits 130fdbc (\"ovl: pass correct flags for opening real directory\") and 292f902 (\"ovl: call secutiry hook in ovl_real_ioctl()\") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da (\"ovl: do not fail because of O_NOATIMEi\") in kernel 5.11."}]},"exploit":[],"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.1,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-266 Incorrect Privilege Assignment"}]}]},"references":{"reference_data":[{"name":"https://ubuntu.com/USN-4576-1","refsource":"UBUNTU","url":"https://ubuntu.com/USN-4576-1"},{"name":"https://ubuntu.com/USN-4577-1","refsource":"UBUNTU","url":"https://ubuntu.com/USN-4577-1"},{"name":"https://ubuntu.com/USN-4578-1","refsource":"UBUNTU","url":"https://ubuntu.com/USN-4578-1"},{"name":"https://www.openwall.com/lists/oss-security/2020/10/14/2","refsource":"CONFIRM","url":"https://www.openwall.com/lists/oss-security/2020/10/14/2"},{"name":"https://launchpad.net/bugs/1894980","refsource":"UBUNTU","url":"https://launchpad.net/bugs/1894980"},{"name":"https://launchpad.net/bugs/1900141","refsource":"UBUNTU","url":"https://launchpad.net/bugs/1900141"},{"name":"https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d","refsource":"CONFIRM","url":"https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d"},{"name":"https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f","refsource":"CONFIRM","url":"https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f"},{"name":"https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8","refsource":"CONFIRM","url":"https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8"},{"name":"https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52","refsource":"CONFIRM","url":"https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52"},{"name":"https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84","refsource":"CONFIRM","url":"https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84"}]},"solution":[],"source":{"advisory":"https://ubuntu.com/USN-4576-1","defect":["https://launchpad.net/bugs/1894980"],"discovery":"EXTERNAL"},"work_around":[]}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T13:37:53.989Z"},"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://ubuntu.com/USN-4576-1"},{"tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://ubuntu.com/USN-4577-1"},{"tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://ubuntu.com/USN-4578-1"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.openwall.com/lists/oss-security/2020/10/14/2"},{"tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://launchpad.net/bugs/1894980"},{"tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://launchpad.net/bugs/1900141"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84"}]}]},"cveMetadata":{"assignerOrgId":"cc1ad9ee-3454-478d-9317-d3e869d708bc","assignerShortName":"canonical","cveId":"CVE-2020-16120","datePublished":"2021-02-10T19:45:26.096Z","dateReserved":"2020-07-29T00:00:00.000Z","dateUpdated":"2024-09-16T18:49:11.997Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}