CVE-2017-10708

CWE-22 — Path Traversal CWE-20 — Improper Input Validation6 documents6 sources

Severity

7.8HIGH

EPSS

0.8%

top 26.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apport Project Apport

Timeline

PublishedJul 18

Latest updateMay 17

Description

An issue was discovered in Apport through 2.20.x. In apport/report.py, Apport sets the ExecutablePath field and it then uses the path to run package specific hooks without protecting against path traversal. This allows remote attackers to execute arbitrary code via a crafted .crash file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶Ubuntuapport< 2.14.1-0ubuntu3.25+1

▶NVDapport_project/apport2.20.6

🔴Vulnerability Details

GHSA

GHSA-r8ph-m677-xqfj: An issue was discovered in Apport through 2↗2022-05-17

▶

OSV

CVE-2017-10708: An issue was discovered in Apport through 2↗2017-07-18

▶

CVEList

CVE-2017-10708: An issue was discovered in Apport through 2↗2017-07-18

▶

📋Vendor Advisories

Red Hat

openssh: Out of sequence NEWKEYS message can allow remote attacker to cause denial of service↗2018-01-24

▶

Ubuntu

Apport vulnerability↗2017-07-18

▶