Remote code execution

2018-12-2015:29:00

PRIOn knowledge base

www.prio-n.com

8.9 High

AI Score

Confidence

High

0.016 Low

EPSS

Percentile

87.5%

JSON

Alpine Linux version Versions prior to 2.6.10, 2.7.6, and 2.10.1 contains a Other/Unknown vulnerability in apk-tools (Alpine Linux’ package manager) that can result in Remote Code Execution. This attack appear to be exploitable via A specially crafted APK-file can cause apk to write arbitrary data to an attacker-specified file, due to bugs in handling long link target name and the way a regular file is extracted… This vulnerability appears to have been fixed in 2.6.10, 2.7.6, and 2.10.1.

CPENameOperatorVersion
alpine_linuxlt2.6.10
alpine_linuxge2.7.0
alpine_linuxlt2.7.6
alpine_linuxge2.7.7
alpine_linuxlt2.10.1

Name	Operator	Version
alpine_linux	lt	2.6.10
alpine_linux	ge	2.7.0
alpine_linux	lt	2.7.6
alpine_linux	ge	2.7.7
alpine_linux	lt	2.10.1

References

alpinelinux.org/posts/Alpine-3.8.1-released.html

git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1

justi.cz/security/2018/09/13/alpine-apk-rce.html