Lucene search

[email protected]CVE-2020-14352

HistoryAug 30, 2020 - 3:15 p.m.

CVE-2020-14352

2020-08-3015:15:12

CWE-22

[email protected]

web.nvd.nist.gov

328

cve-2020-14352

librepo

directory traversal

vulnerability

remote repository

path traversal

system compromise

8.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.5%

JSON

A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.

Affected configurations

Vulners

NVD

Node

redhatlibrepoRange≤1.12.1

VendorProductVersionCPE
redhatlibrepo*cpe:2.3:a:redhat:librepo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	librepo	*	cpe:2.3:a:redhat:librepo::::::::

CNA Affected

[
  {
    "product": "librepo",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "librepo versions before 1.12.1"
      }
    ]
  }
]