7.5

CVE-2016-5418

Exploit
The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OracleLinux Version6
OracleLinux Version7
RedhatOpenshift Version3.1 SwEditionenterprise
RedhatOpenshift Version3.2 SwEditionenterprise
LibarchiveLibarchive Version <= 3.2.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.71% 0.907
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
Third Party Advisory
https://security.gentoo.org/glsa/201701-03
http://rhn.redhat.com/errata/RHSA-2016-1844.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1850.html
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/08/09/2
Exploit
Technical Description
http://www.securityfocus.com/bid/93165
https://access.redhat.com/errata/RHSA-2016:1852
Third Party Advisory
https://access.redhat.com/errata/RHSA-2016:1853
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1362601
Third Party Advisory
VDB Entry
Issue Tracking
https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f
Exploit
Technical Description
https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
Patch
https://github.com/libarchive/libarchive/issues/746
Patch
Exploit