CVE-2017-14804 | The build package before 20171128 did not check directory na… | CVSS 9.9 CRITICAL

Description

The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.

Metadata

CVE ID: CVE-2017-14804
State: PUBLISHED
Assigner: microfocus
Reserved: 2017-09-27 00:00 UTC
Published: 2018-03-01 19:00 UTC
Last updated: 2024-09-16 22:03 UTC
Primary CWE: CWE-22
CWE-22
Vendor / Product: SUSE / build
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.0

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
SUSE	build	—	unspecified ≤ 20171128

Weakness (CWE)

CWE	Source	Description
—	cna	Insufficient pathname checking could use to bypass directory restrictions.
CWE-22	cna	CWE-22

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (3)

SUSE-SU-2017:3253 https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html
SUSE-SU-2018:0065 https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html
openSUSE-SU-2017:3259 https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html