CVE-2022-21946: 
Homebrew vulnerability analysis and mitigation

CVE-2022-21946 is a security vulnerability in the sudoers configuration of cscreen in openSUSE Factory. The vulnerability was discovered in early 2022 and affects cscreen version 1.2-1.3 and prior versions. The issue allows any local users to gain the privileges of the tty and dialout groups, enabling them to access and manipulate any running cscreen session (SUSE Bugzilla).

The vulnerability stems from an incorrect permission assignment for critical resources in the sudoers configuration. The issue lies in the sudoers rule that grants ALL users the ability to execute screen as the cscreen user without password authentication. The vulnerable configuration was: 'ALL ALL=(cscreen) NOPASSWD:/usr/bin/screen', which effectively allowed any system user, including accounts like 'nobody', to attach to shared screen sessions (SUSE Bugzilla). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability allows unauthorized users to gain access to the cscreen user's capabilities, including access to a proper home directory in /var/lib/cscreen where persistent data can be stored. Additionally, attackers can access shared information in existing cscreen sessions or place arbitrary information into existing or newly created cscreen sessions. The mere installation of the cscreen package is sufficient to enable most of this attack surface ([SUSE Bugzilla](https://bugzilla.suse.com/showbug.cgi?id=1196451)).

The vulnerability has been fixed by modifying the sudoers configuration to restrict access to only members of the cscreen group. The new configuration uses '%cscreen ALL=(cscreen) NOPASSWD:/usr/bin/screen' instead of the previous unrestricted access. The fix was implemented upstream in the cscreen repository ([SUSE Bugzilla](https://bugzilla.suse.com/showbug.cgi?id=1196451)).