cbcvebase.

Pacman Project Pacman vulnerabilities

4 known vulnerabilities affecting pacman_project/pacman.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2019-18182P2CRITICALCVSS 9.8fixed in 5.22020-02-24
CVE-2019-18182 [CRITICAL] CWE-78 CVE-2019-18182: pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xferco pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package.
nvd
CVE-2019-18183P2CRITICALCVSS 9.8fixed in 5.22020-02-24
CVE-2019-18183 [CRITICAL] CWE-78 CVE-2019-18183: pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_de pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file.
nvd
CVE-2019-9686P3HIGHCVSS 8.8fixed in 5.1.32019-03-11
CVE-2019-9686 [HIGH] CWE-22 CVE-2019-9686: pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling
nvd
CVE-2016-5434P4MEDIUMCVSS 5.5v5.0.12017-01-30
CVE-2016-5434 [MEDIUM] CWE-125 CVE-2016-5434: libalpm, as used in pacman 5.0.1, allows remote attackers to cause a denial of service (infinite loo libalpm, as used in pacman 5.0.1, allows remote attackers to cause a denial of service (infinite loop or out-of-bounds read) via a crafted signature file.
nvd
Pacman Project Pacman vulnerabilities | cvebase