CVE-2020-26277

Name of the Vulnerable Software and Affected Versions DBdeployer versions prior to 1.58.2

Description DBdeployer is a tool that deploys MySQL database servers easily. Users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files external to the target. In such a scenario, an attacker could induce DBdeployer to write into a system file, thus altering the computer defenses. For the attack to succeed, the following factors need to contribute: the user is logged in as root, and the user has taken a tarball from a non-secure source without testing the checksum.

Recommendations For versions prior to 1.58.2, update to version 1.58.2 to fix the issue. As a temporary workaround, consider verifying the checksum of the tarball before attempting to unpack it, and avoid running DBdeployer as root. Restrict access to system files and directories to minimize the risk of exploitation.