ArchLinuxASA-202106-39[ASA-202106-39] thefuck: arbitrary file overwrite
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
0.002 Low
EPSS
Percentile
59.1%
Arch Linux Security Advisory ASA-202106-39
Severity: Medium
Date : 2021-06-15
CVE-ID : CVE-2021-34363
Package : thefuck
Type : arbitrary file overwrite
Remote : No
Link : https://security.archlinux.org/AVG-2062
Summary
The package thefuck before version 3.31-1 is vulnerable to arbitrary
file overwrite.
Resolution
Upgrade to 3.31-1.
pacman -Syu “thefuck>=3.31-1”
The problem has been fixed upstream in version 3.31.
Workaround
None.
Description
The thefuck package before 3.31 allows path traversal that leads to
arbitrary file deletion via the “undo archive operation” feature.
Impact
An attacker could delete arbitrary files by tricking a user to use the
“undo archive operation” feature on a crafted archive file.
References
https://vuln.ryotak.me/advisories/48
https://github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092
https://security.archlinux.org/CVE-2021-34363
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
0.002 Low
EPSS
Percentile
59.1%