CVE-2008-4640 — Improper Input Validation in Jhead

CWE-20 — Improper Input Validation6 documents6 sources

Severity

3.6LOWNVD

EPSS

0.1%

top 80.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jhead Project Jhead Debian Jhead Sentex Jhead

Timeline

PublishedOct 21

Latest updateMay 17

Description

The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and earlier allows local users to delete arbitrary files via vectors involving a modified input filename in which (1) a final "z" character is replaced by a "t" character or (2) a final "t" character is replaced by a "z" character.

CVSS vector

AV:L/AC:L/C:N/I:P/A:PExploitability: 3.9 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/jhead< jhead 2.85-1 (bookworm)

▶Debianjhead_project/jhead< 2.85-1+3

▶NVDsentex/jhead2.82+19

🔴Vulnerability Details

GHSA

GHSA-ph3v-wxq4-4xc6: The DoCommand function in jhead↗2022-05-17

▶

OSV

CVE-2008-4640: The DoCommand function in jhead↗2008-10-21

▶

📋Vendor Advisories

Red Hat

jhead: arbitrary file deletion↗2008-10-15

▶

Debian

CVE-2008-4640: jhead - The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and earlier allo...↗2008

▶

💬Community

Bugzilla

CVE-2008-4640 jhead: arbitrary file deletion↗2008-10-22

▶