cbcvebase.
CVE-2019-18182
published 2020-02-24

CVE-2019-18182: pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.67%
88.3th percentile
pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package.

Affected

4 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
pacman_projectpacman< 5.25.2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists in the download_with_xfercommand() function within conf.c in pacman before 5.2; monitor for arbitrary command injection via a non-default XferCommand configuration combined with attacker-controlled database/package retrieval.
  • The upstream fix is available at the referenced commit; use it as a patch-level indicator to confirm whether a deployed pacman binary is patched.
  • ·Exploitation requires the user to have enabled a non-default XferCommand in pacman configuration; systems using only the default (no XferCommand set) are not exploitable.
  • ·Exploitation also requires unsigned databases to be in use; signed database enforcement mitigates the attack vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.