Lucene search

[email protected]CVE-2014-9706

HistoryMar 31, 2015 - 2:59 p.m.

CVE-2014-9706

2015-03-3114:59:04

CWE-19

[email protected]

web.nvd.nist.gov

cve-2014-9706

index.py

dulwich

remote attackers

arbitrary code

directory path

nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.4 High

AI Score

Confidence

Low

0.164 Low

EPSS

Percentile

96.0%

JSON

The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.

Affected configurations

NVD

Node

debiandebian_linuxMatch7.0

Node

dulwich_projectdulwichRange≤0.9.8

CPENameOperatorVersion
debian:debian_linuxdebian debian linuxeq7.0

CPE	Name	Operator	Version
debian:debian_linux	debian debian linux	eq	7.0

References

lists.fedoraproject.org/pipermail/package-announce/2015-April/154523.html

lists.fedoraproject.org/pipermail/package-announce/2015-April/154551.html

www.debian.org/security/2015/dsa-3206

www.openwall.com/lists/oss-security/2015/03/21/1

www.openwall.com/lists/oss-security/2015/03/22/26

git.samba.org/?p=jelmer/dulwich.git%3Ba=commitdiff%3Bh=091638be3c89f46f42c3b1d57dc1504af5729176

lists.launchpad.net/dulwich-users/msg00827.html

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.4 High

AI Score

Confidence

Low

0.164 Low

EPSS

Percentile

96.0%

JSON

Related for CVE-2014-9706

nessus4 fedora3 github1 debiancve1 cvelist1 openvas6 nvd1 prion1 ubuntucve1 osv2 debian2 securityvulns2 mageia1