CVE-2013-4472 — Link Following in Poppler

CWE-59 — Link Following CWE-377 — Insecure Temporary File10 documents7 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 80.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Poppler

Timeline

PublishedApr 22

Latest updateMay 17

Description

The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

CVSS vector

AV:L/AC:M/C:N/I:P/A:PExploitability: 3.4 | Impact: 4.9

Affected Packages1 packages

▶NVDfreedesktop/poppler0.24.3+3

🔴Vulnerability Details

GHSA

GHSA-6g5q-pc77-85j9: The openTempFile function in goo/gfile↗2022-05-17

▶

OSV

CVE-2013-4472: The openTempFile function in goo/gfile↗2014-04-22

▶

CVEList

CVE-2013-4472: The openTempFile function in goo/gfile↗2014-04-22

▶

📋Vendor Advisories

Red Hat

xpdf: insecure temporary file↗2013-10-26

▶

Debian

CVE-2013-4472: poppler - The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier...↗2013

▶

💬Community

Bugzilla

CVE-2013-4472 poppler, xpdf: insecure temporary file↗2013-10-30

▶

Bugzilla

CVE-2013-4472 CVE-2013-4473 CVE-2013-4474 poppler: various flaws [fedora-all]↗2013-10-30

▶

Bugzilla

CVE-2013-4472 poppler, xpdf: insecure temporary file [fedora-all]↗2013-10-30

▶

Bugzilla

CVE-2013-4472 poppler, xpdf: insecure temporary file [epel-all]↗2013-10-30

▶