CVE-2020-14352

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-14352
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-14352.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-14352
Downstream
Related
Published
2020-08-30T15:15:12Z
Modified
2025-07-29T09:06:09.757358Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.

References

Affected packages

Git / github.com/rpm-software-management/librepo

Affected ranges

Type
GIT
Repo
https://github.com/rpm-software-management/librepo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d4ad350291f2937c0b6a3eea9e1d0c8e1051fc32

Affected versions

1.*

1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0
1.8.0
1.8.1
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6

librepo-0.*

librepo-0.0.2
librepo-0.0.4

librepo-1.*

librepo-1.0.0
librepo-1.1.0
librepo-1.2.0
librepo-1.2.1
librepo-1.3.0
librepo-1.4.0
librepo-1.5.0
librepo-1.5.1
librepo-1.5.2
librepo-1.6.0
librepo-1.7.0
librepo-1.7.1
librepo-1.7.10
librepo-1.7.11
librepo-1.7.12
librepo-1.7.13
librepo-1.7.14
librepo-1.7.15
librepo-1.7.16
librepo-1.7.17
librepo-1.7.18
librepo-1.7.19
librepo-1.7.2
librepo-1.7.20
librepo-1.7.3
librepo-1.7.4
librepo-1.7.5
librepo-1.7.6
librepo-1.7.7
librepo-1.7.8
librepo-1.7.9