Vulnerability Details : CVE-2019-13636
In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.
Products affected by CVE-2019-13636
- cpe:2.3:a:gnu:patch:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-13636
4.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-13636
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:P |
8.6
|
4.9
|
NIST | |
|
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2019-13636
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-13636
-
https://usn.ubuntu.com/4071-1/
USN-4071-1: Patch vulnerabilities | Ubuntu security notices
-
https://security.netapp.com/advisory/ntap-20190828-0001/
August 2019 GNU patch Vulnerabilities in NetApp Products | NetApp Product Security
-
https://seclists.org/bugtraq/2019/Jul/54
Bugtraq: [SECURITY] [DSA 4489-1] patch security update
-
https://www.debian.org/security/2019/dsa-4489
Debian -- Security Information -- DSA-4489-1 patch
-
https://usn.ubuntu.com/4071-2/
USN-4071-2: Patch vulnerabilities | Ubuntu security notices
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/
[SECURITY] Fedora 30 Update: patch-2.7.6-11.fc30 - package-announce - Fedora Mailing-Lists
-
https://lists.debian.org/debian-lts-announce/2019/07/msg00016.html
[SECURITY] [DLA 1856-1] patch security updateThird Party Advisory
-
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a
patch.git - GNU patchMailing List;Patch;Vendor Advisory
-
https://github.com/irsl/gnu-patch-vulnerabilities
GitHub - irsl/gnu-patch-vulnerabilities: The GNU patch utility was prone vulnerable to multiple attacks through version 2.7.6. You can find my related PoC files here.
-
https://seclists.org/bugtraq/2019/Aug/29
Bugtraq: Details about recent GNU patch vulnerabilities
-
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
GNU patch Command Injection / Directory Traversal ≈ Packet Storm
-
https://security.gentoo.org/glsa/201908-22
Patch: Multiple vulnerabilities (GLSA 201908-22) — Gentoo security
Jump to