Lucene search

[email protected]CVE-2014-1638

HistoryJan 28, 2014 - 12:55 a.m.

CVE-2014-1638

2014-01-2800:55:00

CWE-59

[email protected]

web.nvd.nist.gov

cve-2014-1638

localepurge

symlink attack

security vulnerability

nvd

6.5 Medium

AI Score

Confidence

Low

3.3 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:P/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

(1) debian/postrm and (2) debian/localepurge.config in localepurge before 0.7.3.2 use tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.

CPENameOperatorVersion
debian:localepurgedebian localepurgele0.7.3.1

CPE	Name	Operator	Version
debian:localepurge	debian localepurge	le	0.7.3.1

References

bugs.debian.org/cgi-bin/bugreport.cgi?bug=736359

www.openwall.com/lists/oss-security/2014/01/22/3

www.openwall.com/lists/oss-security/2014/01/22/4

www.osvdb.org/102379

www.osvdb.org/102381

www.securityfocus.com/bid/65098

exchange.xforce.ibmcloud.com/vulnerabilities/90669

6.5 Medium

AI Score

Confidence

Low

3.3 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:P/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

Related for CVE-2014-1638

ubuntucve1 prion1 cvelist1 debiancve1