Vulnerability Details : CVE-2007-2452
Heap-based buffer overflow in the visit_old_format function in locate/locate.c in locate in GNU findutils before 4.2.31 might allow context-dependent attackers to execute arbitrary code via a long pathname in a locate database that has the old format, a different vulnerability than CVE-2001-1036.
Vulnerability category: OverflowExecute code
Products affected by CVE-2007-2452
- cpe:2.3:a:gnu:findutils:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:findutils:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:findutils:4.2.29:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:findutils:4.2.30:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:findutils:4.2.28:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2007-2452
4.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2007-2452
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
Vendor statements for CVE-2007-2452
-
Red Hat 2007-06-11Not vulnerable. Red Hat did not ship GNU locate in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue does not affect the ’mlocate’ or ’slocate’ packages that are supplied with Red Hat Enterprise Linux.
References for CVE-2007-2452
-
http://www.securityfocus.com/archive/1/470108/100/0/threaded
-
http://www.securitytracker.com/id?1018183
Access Denied
-
http://www.vupen.com/english/advisories/2010/1796
Webmail | OVH- OVH
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/34628
GNU findutils old-format locate database filename buffer overflow CVE-2007-2452 Vulnerability Report
-
http://www.vupen.com/english/advisories/2007/2015
Site en construction
-
http://securityreason.com/securityalert/2760
GNU Findutils release 4.2.31 fixes CVE-2007-2452 (GNU locate heap buffer overrun) - CXSecurity.com
-
http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083
-
http://www.securityfocus.com/bid/24250
Patch
Jump to