9.3

CVE-2016-1244

The extractTree function in unADF allows remote attackers to execute arbitrary code via shell metacharacters in a directory name in an adf file.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Unadf ProjectUnadf Version1.0
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.28% 0.915
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch
Patch
Vendor Advisory
http://www.debian.org/security/2016/dsa-3676
Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248
Patch
Third Party Advisory
VDB Entry
https://lists.debian.org/debian-lts-announce/2024/03/msg00015.html
https://security.gentoo.org/glsa/201804-20
http://www.securityfocus.com/bid/93332