CVE-2018-14036 — Path Traversal in Accountsservice

CWE-22 — Path Traversal11 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

1.2%

top 20.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Accountsservice Freedesktop Accountsservice Debian Accountsservice

Timeline

PublishedJul 13

Latest updateMay 14

Description

Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/accountsservice< accountsservice 0.6.45-2 (bookworm)

▶NVDfreedesktop/accountsservice< 0.6.50

▶Debiancanonical/accountsservice< 0.6.45-2+3

▶Ubuntucanonical/accountsservice< 0.6.40-2ubuntu11.6+3

Patches

Patch: cgit.freedesktop.org ↗Patch: cgit.freedesktop.org ↗

🔴Vulnerability Details

GHSA

GHSA-2pjf-fjvv-2rf2: Directory Traversal with↗2022-05-14

▶

OSV

accountsservice vulnerabilities↗2020-11-04

▶

OSV

accountsservice vulnerabilities↗2020-11-03

▶

OSV

CVE-2018-14036: Directory Traversal with↗2018-07-13

▶

📋Vendor Advisories

Ubuntu

AccountsService vulnerabilities↗2020-11-04

▶

Ubuntu

AccountsService vulnerabilities↗2020-11-03

▶

Red Hat

accountsservice: insufficient path check in user_change_icon_file_authorized_cb() in user.c↗2018-07-13

▶

Debian

CVE-2018-14036: accountsservice - Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 b...↗2018

▶

💬Community

Bugzilla

CVE-2018-14036 accountsservice: insufficient path check in user_change_icon_file_authorized_cb() in user.c [fedora-all]↗2018-07-13

▶

Bugzilla

CVE-2018-14036 accountsservice: insufficient path check in user_change_icon_file_authorized_cb() in user.c↗2018-07-13

▶