Vulnerability Description
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequences such as a home/../usr substring.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cantata Project | Cantata | <= 2.3.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2018/06/18/1Mailing ListTechnical Description
- https://github.com/CDrummond/cantata/commit/afc4f8315d3e96574925fb530a7004cc9e6cPatchTechnical Description
- http://www.openwall.com/lists/oss-security/2018/06/18/1Mailing ListTechnical Description
- https://github.com/CDrummond/cantata/commit/afc4f8315d3e96574925fb530a7004cc9e6cPatchTechnical Description
FAQ
What is CVE-2018-12559?
CVE-2018-12559 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS...
How severe is CVE-2018-12559?
CVE-2018-12559 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-12559?
Check the references section above for vendor advisories and patch information. Affected products include: Cantata Project Cantata.