Path traversal in librepo - CVE-2020-14352

 

Path traversal in librepo - CVE-2020-14352

Published: August 30, 2020 / Updated: October 9, 2020


Vulnerability identifier: #VU47485
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-14352
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: rpm-software-management
Affected software:
librepo

Detailed vulnerability description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in remote repository metadata. A remote attacker with control over the repository can trick the victim into downloading software and copy files outside of the destination directory on the targeted system. Successful exploitation of the vulnerability may result in system compromise.


How to mitigate CVE-2020-14352

Install update from vendor's website.

Sources