CVE-2017-7501

EPSS 0.05%
Published 22.11.2017 22:29:00
Last modified 20.04.2025 01:37:25
Source secalert@redhat.com
Teams watchlist Login
Open Login

It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Rpm ≫ Rpm Version < 4.13.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.169

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://security.gentoo.org/glsa/201811-22

https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2017-7501

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-7501

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-7501

EUVD