CVE-2013-2142 — Link Following in Libimobiledevice

CWE-59 — Link Following CWE-377 — Insecure Temporary File8 documents7 sources

Severity

3.3LOWNVD

EPSS

0.0%

top 93.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libimobiledevice Debian Libimobiledevice

Timeline

PublishedJan 19

Latest updateMay 17

Description

userpref.c in libimobiledevice 1.1.4, when $HOME and $XDG_CONFIG_HOME are not set, allows local users to overwrite arbitrary files via a symlink attack on (1) HostCertificate.pem, (2) HostPrivateKey.pem, (3) libimobiledevicerc, (4) RootCertificate.pem, or (5) RootPrivateKey.pem in /tmp/root/.config/libimobiledevice/.

CVSS vector

AV:L/AC:M/C:N/I:P/A:PExploitability: 3.4 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/libimobiledevice< libimobiledevice 1.1.5-0.1 (bookworm)

▶Debianlibimobiledevice/libimobiledevice< 1.1.5-0.1+3

▶NVDlibimobiledevice/libimobiledevice1.1.4

🔴Vulnerability Details

GHSA

GHSA-7wj3-4crv-vhfj: userpref↗2022-05-17

▶

OSV

CVE-2013-2142: userpref↗2014-01-19

▶

📋Vendor Advisories

Ubuntu

libimobiledevice vulnerability↗2013-08-14

▶

Red Hat

libimobiledevice: Insecure temporary file use when both $XDG_CONFIG_HOME and $HOME are unset↗2013-05-31

▶

Debian

CVE-2013-2142: libimobiledevice - userpref.c in libimobiledevice 1.1.4, when $HOME and $XDG_CONFIG_HOME are not se...↗2013

▶

💬Community

Bugzilla

CVE-2013-2142 libimobiledevice: Insecure temporary file use when both $XDG_CONFIG_HOME and $HOME are unset↗2013-06-03

▶

Bugzilla

CVE-2013-2142 libimobiledevice: Insecure temporary file use when both $XDG_CONFIG_HOME and $HOME are unset [fedora-all]↗2013-06-03

▶