Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1ycjUyLXdnN2YtODg3Nc4AAVFC

Improper Link Resolution Before File Access in logilab-commons

The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-common before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.

Permalink: https://github.com/advisories/GHSA-rr52-wg7f-8875
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycjUyLXdnN2YtODg3Nc4AAVFC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago

CVSS Score: 5.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-rr52-wg7f-8875, CVE-2014-1838
References:

Blast Radius: 17.4

Affected Packages

pypi:logilab-common

Dependent packages: 8
Dependent repositories: 1,257
Downloads: 77,305 last month
Affected Version Ranges: < 0.61.0
Fixed in: 0.61.0
All affected versions: 0.28.1, 0.38.0, 0.38.1, 0.39.0, 0.43.0, 0.44.0, 0.46.0, 0.46.1, 0.47.0, 0.48.1, 0.49.0, 0.50.0, 0.50.1, 0.50.2, 0.50.3, 0.51.0, 0.51.1, 0.52.0, 0.52.1, 0.53.0, 0.54.0, 0.55.0, 0.55.2, 0.56.0, 0.56.1, 0.56.2, 0.57.0, 0.57.1, 0.58.1, 0.58.3, 0.59.0, 0.59.1, 0.60.0, 0.60.1
All unaffected versions: 0.61.0, 0.62.0, 0.62.1, 0.63.0, 0.63.1, 0.63.2, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.10.0, 1.11.0, 2.0.0