cbcvebase.
CVE-2019-18183
published 2020-02-24

CVE-2019-18183: pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.67%
88.3th percentile
pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file.

Affected

4 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
pacman_projectpacman< 5.25.2

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable code is located in lib/libalpm/sync.c within the apply_deltas() function — monitor for command injection attempts targeting this code path in pacman versions before 5.2
  • Exploitation requires the delta feature to be enabled (non-default) and an attacker-controlled database and delta file to be retrieved — alert on pacman delta feature usage combined with unsigned database configurations
  • ·Exploitation is only possible when unsigned databases are in use — systems enforcing database signature verification are not exploitable via this vector
  • ·The delta feature is non-default; exploitation requires the user to have explicitly enabled it in their pacman configuration

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.