CVE-2017-8283

CWE-22 — Path Traversal5 documents5 sources

Severity

9.8CRITICAL

EPSS

1.1%

top 22.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Dpkg

Timeline

PublishedApr 26

Latest updateMay 17

Description

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDdebian/dpkg300 versions+299

▶Debiandpkg< 1.18.24+3

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-7cgr-cwf8-5c99: dpkg-source in dpkg 1↗2022-05-17

▶

CVEList

CVE-2017-8283: dpkg-source in dpkg 1↗2017-04-26

▶

OSV

CVE-2017-8283: dpkg-source in dpkg 1↗2017-04-26

▶

📋Vendor Advisories

Debian

CVE-2017-8283: dpkg - dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program...↗2017

▶