CVE-2015-5704 : scripts/licensecheck.pl in devscripts before 2.15.7 allows local users to execut

scripts/licensecheck.pl in devscripts before 2.15.7 allows local users to execute arbitrary shell commands.

Published 2017-09-25 21:29:01

Updated 2017-10-06 13:56:38

Source Debian GNU/Linux

View at NVD, CVE.org

Products affected by CVE-2015-5704

Fedoraproject » Fedora » Version: 21
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 22
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
Matching versions
Devscripts Devel Team » Devscripts
Versions up to, including, (<=) 2.15.6
cpe:2.3:a:devscripts_devel_team:devscripts:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 13 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

http://www.openwall.com/lists/oss-security/2015/08/01/7

oss-security - Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection
Mailing List;Third Party Advisory

CVEs referencing this url
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260

#794260 - devscripts: licensecheck: CVE-2015-5704: shell injection vulnerability - Debian Bug report logs
Vendor Advisory

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163705.html

[SECURITY] Fedora 22 Update: devscripts-2.15.8-1.fc22
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1249635

1249635 – (CVE-2015-5704) CVE-2015-5704 devscripts: arbitrary shell command injection
Issue Tracking;Third Party Advisory
http://www.securityfocus.com/bid/76143

Debian devscripts 'licensecheck' Utility Command Injection Vulnerability
Third Party Advisory;VDB Entry
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163710.html

[SECURITY] Fedora 21 Update: devscripts-2.15.8-1.fc21
Third Party Advisory

CVEs referencing this url
https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8

licensecheck: Use Dpkg::IPC to run file command (c0687bcd) · Commits · Debian / devscripts · GitLab
Patch;Vendor Advisory

Jump to