CVE-2018-1122 - log back

CVE-2018-1122 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Privilege escalation
Description
+ The top utility from procps-ng <= 3.3.14 reads its configuration file from the current working directory, without any security check, if the HOME environment variable is unset or empty. In this very unlikely scenario, an attacker can carry out an LPE (Local Privilege Escalation) if an administrator executes top in /tmp (for example), by exploiting one of several vulnerabilities in top's config_file() function.
References
+ https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Notes
+ Related patch in Qualys' tarball: 0097-top-Do-not-default-to-the-cwd-in-configs_read.patch