Lucene search

K

Ubuntu.comUB:CVE-2012-4245

HistoryAug 31, 2012 - 12:00 a.m.

CVE-2012-4245

2012-08-3100:00:00

ubuntu.com

ubuntu.com

18

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.012

Percentile

85.0%

The scriptfu network server in GIMP 2.6 does not require authentication,
which allows remote attackers to execute arbitrary commands via the
python-fu-eval command.

Notes

Author	Note
tyhicks	The scriptfu server is not widely used and security is not a part of the server’s design
mdeslaur	The script-fu network server should not be used in untrusted environments. We are not going to fix this, marking as ignored.

References

archives.neohapsis.com/archives/bugtraq/2012-08/0106.html

www.openwall.com/lists/oss-security/2012/08/16/6

www.openwall.com/lists/oss-security/2012/08/17/2

www.openwall.com/lists/oss-security/2012/08/20/1

www.reactionpenetrationtesting.co.uk/GIMP-scriptfu-python-command-execution.html

launchpad.net/bugs/cve/CVE-2012-4245

nvd.nist.gov/vuln/detail/CVE-2012-4245

security-tracker.debian.org/tracker/CVE-2012-4245

www.cve.org/CVERecord?id=CVE-2012-4245

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.012

Percentile

85.0%

Related for UB:CVE-2012-4245

securityvulns2 debiancve1 nvd1 cve1 prion1 cvelist1 nessus4 gentoo1 openvas1