CVE-2015-1395 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2015-1395?

CVE-2015-1395 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-1395?

Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Canonical Ubuntu Linux, Gnu Patch.

Vulnerability Description

Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a .. (dot dot) in a diff file name.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Fedoraproject	Fedora	20
Canonical	Ubuntu Linux	12.04
Gnu	Patch	<= 2.7.2

Related Weaknesses (CWE)

CWE-22

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154214.htmlPatchThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.htPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2015/01/27/28Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/72846Third Party AdvisoryVDB Entry
http://www.ubuntu.com/usn/USN-2651-1PatchThird Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873Issue TrackingPatchThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1184490Issue TrackingPatchThird Party Advisory
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=17953b5893f7c9835f0dd2a70Issue TrackingPatch
https://savannah.gnu.org/bugs/?44059PatchVendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154214.htmlPatchThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.htPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2015/01/27/28Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/72846Third Party AdvisoryVDB Entry
http://www.ubuntu.com/usn/USN-2651-1PatchThird Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873Issue TrackingPatchThird Party Advisory

FAQ

What is CVE-2015-1395?

CVE-2015-1395 is a vulnerability with a CVSS score of 7.5 (HIGH). Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a ...

How severe is CVE-2015-1395?

CVE-2015-1395 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-1395?

Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Canonical Ubuntu Linux, Gnu Patch.