CVE-2014-9447

Severity Score

6.4

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.

Vulnerabilidad de salto de directorio en la función read_long_names en libelf/elf_begin.c en elfutils 0.152 y 0.161 permite a atacantes remotos escribir a ficheros arbitrarios en el directorio root a través de una / (barra oblicua) en un archivo manipulado, tal y como fue demostrado al utilizar el programa ar.

*Credits: N/A

CVSS Scores

NISTv2 6.4

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-01-02 CVE Reserved
2015-01-02 CVE Published
2024-08-06 CVE Updated
2024-08-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (11)

URL	Tag	Source
http://advisories.mageia.org/MGASA-2015-0033.html	X_refsource_confirm
http://secunia.com/advisories/61934	Third Party Advisory
http://secunia.com/advisories/62560	Third Party Advisory
http://secunia.com/advisories/62661	Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/12/29/2	Mailing List
http://www.securityfocus.com/bid/71804	Vdb Entry
https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004499.html	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148321.html	2015-04-18
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148326.html	2015-04-18
http://www.mandriva.com/security/advisories?name=MDVSA-2015:047	2015-04-18
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e	2015-04-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Elfutils Project Search vendor "Elfutils Project"		Elfutils Search vendor "Elfutils Project" for product "Elfutils"				0.152 Search vendor "Elfutils Project" for product "Elfutils" and version "0.152"		-		Affected
Elfutils Project Search vendor "Elfutils Project"		Elfutils Search vendor "Elfutils Project" for product "Elfutils"				0.161 Search vendor "Elfutils Project" for product "Elfutils" and version "0.161"		-		Affected