Vulnerability Details : CVE-2011-2185
Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/.
Products affected by CVE-2011-2185
- cpe:2.3:a:fabfile:fabric:*:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:fabfile:fabric:1.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-2185
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-2185
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST |
CWE ids for CVE-2011-2185
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2185
-
http://code.fabfile.org/projects/fabric/files/Fabric-1.1.0.tar.gz
Patch
-
http://www.openwall.com/lists/oss-security/2011/06/06/12
oss-security - Re: CVE Request -- fabric -- Use of insecure temporary file by uploading templates and projects to remote hosts
-
http://www.openwall.com/lists/oss-security/2011/06/03/5
oss-security - CVE Request -- fabric -- Use of insecure temporary file by uploading templates and projects to remote hosts
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629003
#629003 - fabric is prone to file-overwrite security issue(s). - Debian Bug report logs
-
https://bugzilla.redhat.com/show_bug.cgi?id=710462
710462 – (CVE-2011-2185) CVE-2011-2185 fabric: Use of insecure temporary file by uploading templates and projects to remote hosts
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062534.html
[SECURITY] Fedora 14 Update: fabric-0.9.7-1.fc14
Jump to