Vulnerability Description
It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rpm | Rpm | < 4.13.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670Issue TrackingPatch
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e3
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8
- https://security.gentoo.org/glsa/201811-22
- https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670Issue TrackingPatch
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e3
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8
- https://security.gentoo.org/glsa/201811-22
FAQ
What is CVE-2017-7501?
CVE-2017-7501 is a vulnerability with a CVSS score of 7.8 (HIGH). It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed coul...
How severe is CVE-2017-7501?
CVE-2017-7501 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7501?
Check the references section above for vendor advisories and patch information. Affected products include: Rpm Rpm.