CVE-2015-1396

CWE-22 — Path Traversal9 documents8 sources

Severity

7.5HIGH

EPSS

3.7%

top 12.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Patch Debian Debian Linux

Timeline

PublishedNov 25

Latest updateMay 24

Description

A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. A remote attacker can write to arbitrary files via a symlink attack in a patch file. NOTE: this issue exists because of an incomplete fix for CVE-2015-1196.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDgnu/patch< 2.7.4

▶Debianpatch< 2.7.3-1+3

Also affects: Debian Linux 10.0, 11.0, 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-37cv-ggjj-37qh: A Directory Traversal vulnerability exists in the GNU patch before 2↗2022-05-24

▶

OSV

CVE-2015-1396: A Directory Traversal vulnerability exists in the GNU patch before 2↗2019-11-25

▶

CVEList

CVE-2015-1396: A Directory Traversal vulnerability exists in the GNU patch before 2↗2019-11-25

▶

📋Vendor Advisories

Ubuntu

GNU patch vulnerabilities↗2015-06-22

▶

Red Hat

patch: directory traversal via symlinks (incomplete fix for CVE-2015-1196)↗2015-01-24

▶

Debian

CVE-2015-1396: patch - A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. A remo...↗2015

▶

💬Community

Bugzilla

CVE-2015-1396 patch: directory traversal via symlinks (incomplete fix for CVE-2015-1196)↗2015-01-28

▶

Bugzilla

CVE-2014-3585 redhat-upgrade-tool: does not check GPG signatures on package installation↗2014-08-01

▶