CVE-2014-8165

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-8165
scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

10.0 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
http://rhn.redhat.com/errata/RHSA-2016-2607.html
http://sourceforge.net/p/powerpc-utils/mailman/message/32884230/ Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/02/09/4
http://www.securityfocus.com/bid/72537
https://bugzilla.redhat.com/show_bug.cgi?id=1073139
https://exchange.xforce.ibmcloud.com/vulnerabilities/100788
Configurations

Configuration 1 (hide)

cpe:2.3:a:powerpc-utils_project:powerpc-utils:-:*:*:*:*:*:*:*
History

13 Feb 2023, 00:44

Type Values Removed Values Added
Summary It was found that the amsvis command of the powerpc-utils-python package did not verify unpickled data before processing it. This could allow an attacker who can connect to an amsvis server process (or cause an amsvis client process to connect to them) to execute arbitrary code as the user running the amsvis process. scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2014-8165', 'name': 'https://access.redhat.com/security/cve/CVE-2014-8165', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2016:2607', 'name': 'https://access.redhat.com/errata/RHSA-2016:2607', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 20:19

Type Values Removed Values Added
Summary scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object. It was found that the amsvis command of the powerpc-utils-python package did not verify unpickled data before processing it. This could allow an attacker who can connect to an amsvis server process (or cause an amsvis client process to connect to them) to execute arbitrary code as the user running the amsvis process.
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2014-8165 -
  • (MISC) https://access.redhat.com/errata/RHSA-2016:2607 -
Information

Published : 2015-02-19 15:59

Updated : 2023-12-10 11:31

NVD link : CVE-2014-8165

Mitre link : CVE-2014-8165

CVE.ORG link : CVE-2014-8165

JSON object : View

Products Affected

powerpc-utils_project

  • powerpc-utils
CWE
CWE-345

Insufficient Verification of Data Authenticity