Path traversal in beep - CVE-2018-1000532
Published: June 26, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU37007
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1000532
CWE-ID: CWE-22
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Johnathan Nightingale
Affected software:
beep
beep
Detailed vulnerability description
The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
beep version 1.3 and up contains a External Control of File Name or Path vulnerability in --device option that can result in Local unprivileged user can inhibit execution of arbitrary programs by other users, allowing DoS. This attack appear to be exploitable via The system must allow local users to run beep.
How to mitigate CVE-2018-1000532
Install update from vendor's website.