CVE-2019-9686

{"id": "CVE-2019-9686", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-03-11T16:29:00.283", "references": [{"url": "https://git.archlinux.org/pacman.git/commit/?h=release/5.1.x&id=1bf767234363f7ad5933af3f7ce267c123017bde", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://git.archlinux.org/pacman.git/commit/?id=9702703633bec2c007730006de2aeec8587dfc84", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://git.archlinux.org/pacman.git/commit/?id=d197d8ab82cf10650487518fb968067897a12775", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL \"pacman -U <url>\" due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c."}, {"lang": "es", "value": "pacman, en versiones anteriores a la 5.1.3, permite un salto de directorio a la hora de instalar un paquete remoto mediante una URL \"pacman -U \" especificado debido a un nombre de archivo no saneado que se recibe desde una cabecera \"Content-Disposition\". pacman renombra el paquete de archivo descargado para que concuerde con el nombre proporcionado en la misma cabecera. Sin embargo, pacman no saneaba este nombre, el cual puede contener barras, antes de llamar a rename(). Un servidor malicioso (o un MitM en la red si la descarga se efect\u00faa sobre HTTP) puede enviar una cabecera \"Content-Disposition\" para hacer que pacman coloque el archivo en cualquier sitio en el sistema de archivos, conduciendo, potencialmente, a una ejecuci\u00f3n de c\u00f3digo root arbitrario. En particular, esto omite la comprobaci\u00f3n de firmas de paquetes de pacman. Esto ocurre en curl_download_internal en lib/libalpm/dload.c."}], "lastModified": "2020-11-09T21:45:43.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pacman_project:pacman:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53E5D4C7-A60E-4422-9168-9EBFC93FF985", "versionEndExcluding": "5.1.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}