CVE-2020-14352

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-14352
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-14352.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-14352
Related
Published
2020-08-30T15:15:12Z
Modified
2025-01-14T08:22:10.164086Z
Downstream
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.

References

Affected packages

Git / github.com/rpm-software-management/librepo

Affected ranges

Type
GIT
Repo
https://github.com/rpm-software-management/librepo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0
1.8.0
1.8.1
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6

librepo-0.*

librepo-0.0.2
librepo-0.0.4

librepo-1.*

librepo-1.0.0
librepo-1.1.0
librepo-1.2.0
librepo-1.2.1
librepo-1.3.0
librepo-1.4.0
librepo-1.5.0
librepo-1.5.1
librepo-1.5.2
librepo-1.6.0
librepo-1.7.0
librepo-1.7.1
librepo-1.7.10
librepo-1.7.11
librepo-1.7.12
librepo-1.7.13
librepo-1.7.14
librepo-1.7.15
librepo-1.7.16
librepo-1.7.17
librepo-1.7.18
librepo-1.7.19
librepo-1.7.2
librepo-1.7.20
librepo-1.7.3
librepo-1.7.4
librepo-1.7.5
librepo-1.7.6
librepo-1.7.7
librepo-1.7.8
librepo-1.7.9