{
  "threat_severity" : "Moderate",
  "public_date" : "2020-05-31T00:00:00Z",
  "bugzilla" : {
    "description" : "systemd: Mishandles numerical usernames beginning with decimal digits or 0x followed by hexadecimal digits",
    "id" : "1845534",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1845534"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-440",
  "details" : [ "systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.", "A flaw was found in systemd, where it mishandles numerical usernames beginning with decimal digits, or \"0x\" followed by hexadecimal digits. When the usernames are used by systemd, for example in service units, an unexpected user may be used instead. In some particular configurations, this flaw allows local attackers to elevate their privileges." ],
  "statement" : "The flaw is rated as Moderate because several uncommon conditions have to be met to make it exploitable. Numerical usernames with decimal digits or starting with \"0x\" followed by hexadecimal digits must exist on the system. Systemd would need to process those particular usernames (e.g. while using the `User=` directive in a systemd service unit). If the service was supposed to run as a regular user and the binary being executed can be controlled by a local attacker, he could abuse this flaw to unexpectedly execute code as a root when the service is started. If the service was run as a regular user to limit the impact of a possible flaw in the service, this flaw would not provide the intended additional protection.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-05-18T00:00:00Z",
    "advisory" : "RHSA-2021:1611",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "systemd-0:239-45.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2021-10-19T00:00:00Z",
    "advisory" : "RHSA-2021:3900",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.2",
    "package" : "systemd-0:239-31.el8_2.7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "systemd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "systemd",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-13776\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13776" ],
  "name" : "CVE-2020-13776",
  "mitigation" : {
    "value" : "Do not use `User=` directive in services with numerical usernames composed by decimal digits or starting with \"0x\" followed by hexadecimal digits (e.g. 0x[0-9A-Fa-f]+).",
    "lang" : "en:us"
  },
  "csaw" : false
}