Описание
click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 0.4.39.1+15.10.20150702-0ubuntu2 |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was released [0.4.21.1ubuntu0.2]] |
| precise | DNE | |
| trusty | released | 0.4.21.1ubuntu0.2 |
| trusty/esm | DNE | trusty was released [0.4.21.1ubuntu0.2] |
| upstream | released | 0.4.41 |
| vivid | released | 0.4.38.5ubuntu0.2 |
| vivid/stable-phone-overlay | released | 0.4.40+15.10.20151006-0ubuntu1.1 |
| vivid/ubuntu-core | DNE |
Показывать по
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3
Связанные уязвимости
click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.
click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3