CVE-2015-5701 — Insecure Temporary File in Texlive

CWE-377 — Insecure Temporary File CWE-59 — Link Following5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 60.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

TUG Texlive Debian Texlive-bin

Timeline

PublishedAug 25

Latest updateMay 17

Description

mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack. NOTE: this vulnerability exists due to the reversion of a fix of CVE-2015-5700.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:NExploitability: 1.8 | Impact: 4.2

Affected Packages2 packages

▶NVDtug/texlive5 versions+4

▶debiandebian/texlive-bin

Patches

Patch: bugzilla.redhat.com ↗Patch: www.tug.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-548j-7qqv-2mvf: mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack↗2022-05-17

▶

📋Vendor Advisories

Red Hat

texlive: insecure use of /tmp in mktexlsr↗2015-01-11

▶

Debian

CVE-2015-5701: texlive-bin - mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows...↗2015

▶

💬Community

Bugzilla

CVE-2015-5700 CVE-2015-5701 texlive: insecure use of /tmp in mktexlsr↗2015-01-12

▶