GitHub Advisory DatabaseGHSA-6X45-86Q6-RCMRGyazo allows local users to write arbitrary files
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
5.1%
lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| gyazo_project | gyazo | 1.0.0 | cpe:2.3:a:gyazo_project:gyazo:1.0.0:*:*:*:*:ruby:*:* |
References
www.openwall.com/lists/oss-security/2014/07/07/13
www.openwall.com/lists/oss-security/2014/07/17/5
github.com/advisories/GHSA-6x45-86q6-rcmr
github.com/rubysec/ruby-advisory-db/blob/master/gems/gyazo/CVE-2014-4994.yml
nvd.nist.gov/vuln/detail/CVE-2014-4994
web.archive.org/web/20200229061943/www.vapid.dhs.org/advisories/gyazo-1.0.0.html
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
5.1%