#VU47485 Path traversal in librepo - CVE-2020-14352
Published: August 30, 2020 / Updated: October 9, 2020
Vulnerability identifier: #VU47485
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-14352
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
librepo
librepo
Software vendor:
rpm-software-management
rpm-software-management
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in remote repository metadata. A remote attacker with control over the repository can trick the victim into downloading software and copy files outside of the destination directory on the targeted system. Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.