vulnerability

Red Hat: CVE-2020-10737: CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack (Multiple Advisories)

Name: Red Hat: CVE-2020-10737: CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack (Multiple Advisories)
Creator: Red Hat
Published: 2020-05-27T00:00:00.000Z
Keywords: CVE, CWE-362, Red Hat, 2020, 10737, 10737 oddjob, redhat-upgrade-oddjob, redhat-upgrade-oddjob-debuginfo, redhat-upgrade-oddjob-debugsource, redhat-upgrade-oddjob-mkhomedir, redhat-upgrade-oddjob-mkhomedir-debuginfo, Severity 4

Try Surface Command

Back to search

Severity

CVSS

(AV:L/AC:H/Au:N/C:P/I:P/A:P)

Published

May 27, 2020

Added

Nov 5, 2020

Modified

Mar 27, 2026

Description

A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.

Solutions

redhat-upgrade-oddjobredhat-upgrade-oddjob-debuginforedhat-upgrade-oddjob-debugsourceredhat-upgrade-oddjob-mkhomedirredhat-upgrade-oddjob-mkhomedir-debuginfo

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report