CVE-2020-14352
CVSS V2 High 8.5
CVSS V3 High 8
Description
A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.
Overview
- CVE ID
- CVE-2020-14352
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Analyzed
- Published Version
- 2020-08-30T15:15:12
- Last Modified Date
- 2020-11-09T14:28:51
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:redhat:librepo:*:*:*:*:*:*:*:* | 1 | OR | 1.12.1 | |
| cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:S/C:C/I:C/A:C
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- SINGLE
- Confidentiality Impact
- COMPLETE
- Integrity Impact
- COMPLETE
- Availability Impact
- COMPLETE
- Base Score
- 8.5
- Severity
- HIGH
- Exploitability Score
- 6.8
- Impact Score
- 10
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- REQUIRED
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 8
- Base Severity
- HIGH
- Exploitability Score
- 2.1
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00072.html | Mailing List Patch Third Party Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=1866498 | Issue Tracking Patch Third Party Advisory |
| http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00055.html | Mailing List Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/ | Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OOMDEQBRJ7SO2QWL7H23G3VV2VSCUYOY/ | Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDMHVY7OMIJNSPVZ2GJWHT77Z5V3YJ55/ | Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2020-14352 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14352 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 16:20:49 | Added to TrackCVE | |||
| 2022-12-04 21:43:03 | 2020-08-30T15:15Z | 2020-08-30T15:15:12 | CVE Published Date | updated |
| 2022-12-04 21:43:03 | 2020-11-09T14:28:51 | CVE Modified Date | updated | |
| 2022-12-04 21:43:03 | Analyzed | Vulnerability Status | updated |