CVE-2020-25860

Опубликовано: 21 дек. 2020

Источник: nvd

CVSS3: 6.6

CVSS2: 7.1

EPSS Низкий

Описание

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

Ссылки

https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv
Exploit
Third Party Advisory
https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework
Exploit
Third Party Advisory
https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv
Exploit
Third Party Advisory
https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pengutronix:rauc:*:*:*:*:*:*:*:*

Версия до 1.5 (исключая)

EPSS

Процентиль: 65%

0.00493

Низкий

6.6 Medium

CVSS3

7.1 High

CVSS2

Дефекты

CWE-367

Связанные уязвимости

CVE-2020-25860

CVSS3: 6.6

ubuntu

около 5 лет назад

CVE-2020-25860

CVSS3: 6.6

debian

около 5 лет назад

The install.c module in the Pengutronix RAUC update client prior to ve ...

EPSS

Процентиль: 65%

0.00493

Низкий

6.6 Medium

CVSS3

7.1 High

CVSS2

Дефекты

CWE-367