Lucene search

Gentoo FoundationMGASA-2022-0110

HistoryMar 23, 2022 - 11:36 a.m.

Updated sphinx packages fix security vulnerability

2022-03-2311:36:28

Gentoo Foundation

advisories.mageia.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

70.3%

JSON

It was found that sphinx could allow arbitrary files to be read by abusing a configuration option. (CVE-2020-29050)

OSVersionArchitecturePackageVersionFilename
Mageia8noarchsphinx< 2.3.2-0.beta.3.1sphinx-2.3.2-0.beta.3.1.mga8

OS	Version	Architecture	Package	Version	Filename
Mageia	8	noarch	sphinx	< 2.3.2-0.beta.3.1	sphinx-2.3.2-0.beta.3.1.mga8

References

bugs.mageia.org/show_bug.cgi?id=30076

lists.opensuse.org/archives/list/[email protected]/thread/BGIIYJ6U7AIFKGIYHMGJHVDPJF5AWYOA/

salsa.debian.org/debian/sphinxsearch/-/blob/4d6fe40644130308604845db43d3588e715ec85d/debian/patches/06-CVE-2020-29050.patch

www.debian.org/security/2022/dsa-5036

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

70.3%

JSON

Related for MGASA-2022-0110