CVE-2017-14804

CWE-22 — Path Traversal CWE-20 — Improper Input Validation7 documents6 sources

Severity

5.3MEDIUM

EPSS

0.4%

top 37.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Build Opensuse Leap Suse Linux Enterprise Software Development KIT

Timeline

PublishedMar 1

Latest updateMay 13

Description

The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages4 packages

▶Debianobs-build< 20180302-1+3

▶CVEListV5suse/buildunspecified — 20171128

▶NVDopensuse/leap42.2, 42.3+1

▶NVDsuse/linux_enterprise_software_development_kit11, 12+1

🔴Vulnerability Details

GHSA

GHSA-q7c2-6g86-6v93: The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of t↗2022-05-13

▶

OSV

CVE-2017-14804: The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of t↗2018-03-01

▶

CVEList

package builds could use directory traversal to write outside of target area↗2018-03-01

▶

📋Vendor Advisories

Debian

CVE-2017-14804: obs-build - The build package before 20171128 did not check directory names during extractio...↗2017

▶

💬Community

Bugzilla

CVE-2017-14804 obs-build: Exploit extractbuild to write to files in the host system↗2018-01-16

▶

Bugzilla

CVE-2017-14804 obs-build: Exploit extractbuild to write to files in the host system [fedora-all]↗2018-01-16

▶