PT-2013-5037 · None+3 · Luci+3

Jan Pokorný

Published

2013-11-20

Updated

2019-04-22

CVE-2013-4482

CVSS v2.0

6.2

Medium

Vector

AV:L/AC:H/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Luci version 0.26.0

Description The issue allows local users to gain privileges via a Trojan horse .egg-info file in the current working directory or its parent directories, due to an untrusted search path vulnerability in python-paste-script (aka paster) when started using the initscript.

Recommendations For Luci version 0.26.0, consider restricting access to the python-paste-script module until a patch is available, and avoid using the initscript to start Luci to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CESA-2013_1603

CVE-2013-4482

RHSA-2013:1603

RHSA-2013_1603

Affected Products

Centos

Luci

Red Hat

Python-Paste-Script

PT-2013-5037 · None+3 · Luci+3

CVE-2013-4482

Related Identifiers

Affected Products

References · 13