CVE-2020-14352 — HIGH (8.0)

Q: How severe is CVE-2020-14352?

CVE-2020-14352 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-14352?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Librepo, Opensuse Backports Sle, Opensuse Leap, Fedoraproject Fedora.

Vulnerability Description

A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.

CVSS Score

8.0

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Librepo	< 1.12.1
Opensuse	Backports Sle	15.0
Opensuse	Leap	15.2
Fedoraproject	Fedora	31

Related Weaknesses (CWE)

CWE-22

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00072.htmlMailing ListPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00055.htmlMailing ListThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1866498Issue TrackingPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00072.htmlMailing ListPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00055.htmlMailing ListThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1866498Issue TrackingPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2020-14352?

CVE-2020-14352 is a vulnerability with a CVSS score of 8.0 (HIGH). A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote r...

How severe is CVE-2020-14352?

CVE-2020-14352 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-14352?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Librepo, Opensuse Backports Sle, Opensuse Leap, Fedoraproject Fedora.