CVE-2018-10897

A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected.
References
Link Resource
http://www.securitytracker.com/id/1041594 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:2284 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2285 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2626 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10897 Issue Tracking Patch Third Party Advisory
https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c Patch Third Party Advisory
https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c Patch Third Party Advisory
https://github.com/rpm-software-management/yum-utils/pull/43 Third Party Advisory
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 Third Party Advisory
http://www.securitytracker.com/id/1041594 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:2284 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2285 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2626 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10897 Issue Tracking Patch Third Party Advisory
https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c Patch Third Party Advisory
https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c Patch Third Party Advisory
https://github.com/rpm-software-management/yum-utils/pull/43 Third Party Advisory
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:rpm:yum-utils:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:42

Type Values Removed Values Added
References () http://www.securitytracker.com/id/1041594 - Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1041594 - Third Party Advisory, VDB Entry
References () https://access.redhat.com/errata/RHSA-2018:2284 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:2284 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2018:2285 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:2285 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2018:2626 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:2626 - Third Party Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10897 - Issue Tracking, Patch, Third Party Advisory () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10897 - Issue Tracking, Patch, Third Party Advisory
References () https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c - Patch, Third Party Advisory () https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c - Patch, Third Party Advisory
References () https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c - Patch, Third Party Advisory () https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c - Patch, Third Party Advisory
References () https://github.com/rpm-software-management/yum-utils/pull/43 - Third Party Advisory () https://github.com/rpm-software-management/yum-utils/pull/43 - Third Party Advisory
References () https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 - Third Party Advisory () https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 - Third Party Advisory

09 Sep 2021, 12:42

Type Values Removed Values Added
References (CONFIRM) https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 - (CONFIRM) https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 - Third Party Advisory

11 Aug 2021, 15:21

Type Values Removed Values Added
CPE cpe:2.3:a:rpm-software-management_project:yum-utils:*:*:*:*:*:*:*:* cpe:2.3:a:rpm:yum-utils:*:*:*:*:*:*:*:*

Information

Published : 2018-08-01 17:29

Updated : 2024-11-21 03:42


NVD link : CVE-2018-10897

Mitre link : CVE-2018-10897

CVE.ORG link : CVE-2018-10897


JSON object : View

Products Affected

redhat

  • virtualization
  • enterprise_linux_desktop
  • enterprise_linux_workstation
  • enterprise_linux_server

rpm

  • yum-utils
CWE
CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')