Vulnerability CVE-2014-1838


Published: 2014-03-11

Description:
The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.

Type:

CWE-59

(Improper Link Resolution Before File Access ('Link Following'))

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.4/10
6.4/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Opensuse -> Opensuse 
Novell -> Opensuse 
Logilab -> Logilab-common 

 References:
http://comments.gmane.org/gmane.comp.security.oss.general/11986
http://lists.opensuse.org/opensuse-updates/2014-02/msg00085.html
http://www.logilab.org/ticket/207561
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051

Copyright 2024, cxsecurity.com

 

Back to Top