CVE-2015-8768

🗓️ 13 Feb 2017 18:00:00Reported by mitreType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 54 Views

click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone

Reporter	Title	Published	Views	Family All 14
CNVD	Ubuntu click privilege acquisition vulnerability	15 Feb 201700:00	–	cnvd
Cvelist	CVE-2015-8768	13 Feb 201718:00	–	cvelist
EUVD	EUVD-2015-8640	7 Oct 202500:30	–	euvd
NVD	CVE-2015-8768	13 Feb 201718:59	–	nvd
OpenVAS	Ubuntu: Security Advisory (USN-2771-1)	16 Oct 201500:00	–	openvas
OSV	CGA-2Q47-9VQW-FR92	9 Jan 202612:33	–	osv
OSV	CGA-JVMC-P9X3-H3M8	6 Jun 202412:26	–	osv
OSV	MINI-XXJ3-3HWH-4R4Q	29 May 202501:09	–	osv
OSV	UBUNTU-CVE-2015-8768	13 Feb 201718:59	–	osv
OSV	USN-2771-1 click vulnerability	15 Oct 201520:08	–	osv

NVD

Node

click_project clickMatch-

Node

canonical ubuntu_linuxMatch14.04lts

canonical ubuntu_linuxMatch15.04

Source	Link
insights	www.insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/
bugs	www.bugs.launchpad.net/ubuntu/+source/click/+bug/1506467
code	www.code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554
securityfocus	www.securityfocus.com/bid/96386
openwall	www.openwall.com/lists/oss-security/2016/01/12/8
plus	www.plus.google.com/+SzymonWaliczek/posts/3jbG2uiAniF
bazaar	www.bazaar.launchpad.net/~click-hackers/click/devel/revision/587
ubuntu	www.ubuntu.com/usn/usn-2771-1

13 May 2026 00:24Current

9.3High risk

Vulners AI Score9.3

CVSS 27.5

CVSS 39.8

EPSS0.0159

CWE-264