#VU38947 Path traversal in Debian Linux - CVE-2017-8314


| Updated: 2020-08-09

Vulnerability identifier: #VU38947

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2017-8314

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Debian Linux
Operating systems & Components / Operating system

Vendor: Debian

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and earlier allows arbitrary file write on disk via a Zip file as subtitles.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Debian Linux: 7.0

External links
https://www.securityfocus.com/bid/98668
https://github.com/xbmc/xbmc/pull/12024
https://lists.debian.org/debian-lts-announce/2018/01/msg00019.html
https://security.gentoo.org/glsa/201706-17

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Gentoo update for Kodi
Path traversal in Debian Linux