CVE-2015-7758 — Link Following in Gummi

CWE-59 — Link Following6 documents5 sources

Severity

3.3LOWNVD

EPSS

0.0%

top 85.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gummi Project Gummi Debian Gummi Opensuse Leap +1 more

Timeline

PublishedJan 8

Latest updateMay 14

Description

Gummi 0.6.5 allows local users to write to arbitrary files via a symlink attack on a temporary dot file that uses the name of an existing file and a (1) .aux, (2) .log, (3) .out, (4) .pdf, or (5) .toc extension for the file name, as demonstrated by .thesis.tex.aux.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages5 packages

▶debiandebian/gummi< gummi 0.6.5-6 (bookworm)

▶Debiangummi_project/gummi< 0.6.5-6+3

▶NVDgummi_project/gummi0.6.5

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.1, 13.2+1

🔴Vulnerability Details

GHSA

GHSA-r6gw-xg73-f977: Gummi 0↗2022-05-14

▶

OSV

CVE-2015-7758: Gummi 0↗2016-01-08

▶

📋Vendor Advisories

Debian

CVE-2015-7758: gummi - Gummi 0.6.5 allows local users to write to arbitrary files via a symlink attack ...↗2015

▶

💬Community

Bugzilla

CVE-2015-7758 gummi: Use of predictable filenames in /tmp↗2015-10-12

▶

Bugzilla

CVE-2015-7758 gummi: Use of predictable filenames in /tmp [fedora-all]↗2015-10-12

▶