CVE-2015-5700 — Link Following in Texlive-bin

CWE-59 — Link Following CWE-377 — Insecure Temporary File12 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 74.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Texlive-bin TUG Texlive

Timeline

PublishedAug 25

Latest updateMay 17

Description

mktexlsr revision 22855 through revision 36625 as packaged in texlive allows local users to write to arbitrary files via a symlink attack.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:NExploitability: 1.8 | Impact: 4.2

Affected Packages2 packages

▶debiandebian/texlive-bin< texlive-bin 2014.20140926.35254-5 (bookworm)+1

▶NVDtug/texlive5 versions+4

Patches

Patch: bugzilla.redhat.com ↗Patch: www.tug.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-548j-7qqv-2mvf: mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack↗2022-05-17

▶

GHSA

GHSA-hqv5-49rw-222p: mktexlsr revision 22855 through revision 36625 as packaged in texlive allows local users to write to arbitrary files via a symlink attack↗2022-05-14

▶

OSV

texlive-bin vulnerabilities↗2018-10-11

▶

OSV

CVE-2015-5700: mktexlsr revision 22855 through revision 36625 as packaged in texlive allows local users to write to arbitrary files via a symlink attack↗2017-08-25

▶

📋Vendor Advisories

Ubuntu

Tex Live vulnerabilities↗2018-10-11

▶

Red Hat

texlive: insecure use of /tmp in mktexlsr↗2015-01-11

▶

Red Hat

texlive: insecure use of /tmp in mktexlsr↗2015-01-11

▶

Debian

CVE-2015-5701: texlive-bin - mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows...↗2015

▶

Debian

CVE-2015-5700: texlive-bin - mktexlsr revision 22855 through revision 36625 as packaged in texlive allows loc...↗2015

▶

💬Community

Bugzilla

CVE-2015-5700 CVE-2015-5701 texlive: insecure use of /tmp in mktexlsr↗2015-01-12

▶