SB2015041502 - Multiple vulnerabilities in Lhaplus
Published: April 15, 2015 Updated: August 9, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2015-0907)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in Lhaplus before 1.70 allows remote attackers to execute arbitrary code via a crafted archive.
2) Path traversal (CVE-ID: CVE-2015-0906)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Lhaplus before 1.70. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to write to arbitrary files via a crafted archive.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- http://jvn.jp/en/jp/JVN12329472/414318/index.html
- http://jvn.jp/en/jp/JVN12329472/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000051
- http://www7a.biglobe.ne.jp/~schezo/
- http://jvn.jp/en/jp/JVN02527990/414318/index.html
- http://jvn.jp/en/jp/JVN02527990/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000050