CVE-2014-8990 — HIGH (7.5) — White Hats Nepal

Q: What is CVE-2014-8990?

CVE-2014-8990 is a vulnerability with a CVSS score of 7.5 (HIGH). default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

Q: How severe is CVE-2014-8990?

CVE-2014-8990 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-8990?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Lsyncd Project Lsyncd.

Vulnerability Description

default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	7.0
Fedoraproject	Fedora	19
Lsyncd Project	Lsyncd	<= 2.1.5

Related Weaknesses (CWE)

CWE-77

References

http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145114.hThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145131.hThird Party Advisory
http://secunia.com/advisories/62321
http://www.debian.org/security/2015/dsa-3130Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/19/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/20/5ExploitMailing ListThird Party Advisory
http://www.securityfocus.com/bid/71179Third Party AdvisoryVDB Entry
https://github.com/axkibe/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52ExploitIssue TrackingPatch
https://github.com/axkibe/lsyncd/commit/e6016b3748370878778b8f0b568d5281cc248aa4ExploitIssue TrackingPatch
https://github.com/axkibe/lsyncd/issues/220Issue TrackingPatch
https://security.gentoo.org/glsa/201702-05
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145114.hThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145131.hThird Party Advisory
http://secunia.com/advisories/62321
http://www.debian.org/security/2015/dsa-3130Third Party Advisory

FAQ

What is CVE-2014-8990?

CVE-2014-8990 is a vulnerability with a CVSS score of 7.5 (HIGH). default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

How severe is CVE-2014-8990?

CVE-2014-8990 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-8990?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Lsyncd Project Lsyncd.