Lucene search

GitHub Advisory DatabaseGHSA-XRR4-74MC-RPJC

HistoryAug 21, 2018 - 5:01 p.m.

Pyro mishandles pid files in temporary directory locations and opening the pid file as root

2018-08-2117:01:29

CWE-59

GitHub Advisory Database

github.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

59.0%

JSON

pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.

Affected configurations

Vulners

Node

pyro_projectpyroRange<3.15

VendorProductVersionCPE
pyro_projectpyro*cpe:2.3:a:pyro_project:pyro:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pyro_project	pyro	*	cpe:2.3:a:pyro_project:pyro::::::::

References

bugs.debian.org/631912

github.com/advisories/GHSA-xrr4-74mc-rpjc

github.com/irmen/Pyro3/commit/554e095a62c4412c91f981e72fd34a936ac2bf1e

nvd.nist.gov/vuln/detail/CVE-2011-2765

pythonhosted.org/Pyro/12-changes.html

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

59.0%

JSON

Related for GHSA-XRR4-74MC-RPJC