PT-2020-13978 · Librepo+3 · Librepo+3

Mauro Matteo Cascella

Published

2020-08-13

Updated

2021-03-05

CVE-2020-14352

CVSS v2.0

8.5

High

Vector

AV:N/AC:M/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions librepo versions prior to 1.12.1

Description A directory traversal issue was found in librepo where it failed to sanitize paths in remote repository metadata. This could allow an attacker controlling a remote repository to copy files outside of the destination directory on the targeted system via path traversal, potentially resulting in system compromise by overwriting critical system files. The highest threat is to users who use untrusted third-party repositories.

Recommendations For versions prior to 1.12.1, update to version 1.12.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of untrusted third-party repositories until the update is applied.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CESA-2020_3658

CESA-2020_5012

CVE-2020-14352

MGASA-2020-0429

OESA-2021-1055

OPENSUSE-SU-2020:1289-1

OPENSUSE-SU-2020:1428-1

OPENSUSE-SU-2020_1289-1

OPENSUSE-SU-2021:0277-1

OPENSUSE-SU-2021:0295-1

OPENSUSE-SU-2021_0277-1

OPENSUSE-SU-2024:10984-1

RHSA-2020:3658

RHSA-2020:3749

RHSA-2020:3756

RHSA-2020:5012

RHSA-2020_3658

RHSA-2020_5012

Affected Products

Centos

Red Hat

Suse

Librepo

PT-2020-13978 · Librepo+3 · Librepo+3

CVE-2020-14352

Weakness Enumeration

Related Identifiers

Affected Products

References · 30