CVE-2020-25860

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-25860

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-25860.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-25860

Related

GHSA-cgf3-h62j-w9vv
UBUNTU-CVE-2020-25860

Published

2020-12-21T18:15:15Z

Modified

2025-01-14T08:40:02.463173Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

References

Affected packages

Debian:11 / rauc

Package

Name: rauc
Purl: pkg:deb/debian/rauc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / rauc

Package

Name: rauc
Purl: pkg:deb/debian/rauc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / rauc

Package

Name: rauc
Purl: pkg:deb/debian/rauc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/rauc/rauc

Affected ranges

Type: GIT
Repo: https://github.com/rauc/rauc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

be52d07460db17534ca1dae717967f649b0229f7

Affected versions

Other

v0.*

v0.1

v0.1.1

v0.2

v0.3

v0.4

v1.*

v1.0

v1.0-rc1

v1.1

v1.2

v1.3

v1.4