Vulnerability Details : CVE-2008-4997

** DISPUTED ** dfxml-invoice in datafreedom-perl 0.1.7 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/zenity temporary file. NOTE: the vendor disputes this vulnerability, stating that the vector is solely "an EXAMPLE used in the manpage."

Published 2008-11-07 19:36:24

Updated 2008-11-10 05:00:00

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2008-4997

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2008-4997

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	nvd@nist.gov
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2008-4997

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-4997

Products affected by CVE-2008-4997

Pilot-qof » Datafreedom-perl » Version: 0.1.7
cpe:2.3:a:pilot-qof:datafreedom-perl:0.1.7:*:*:*:*:*:*:*
Matching versions