{ "threat_severity" : "Important", "public_date" : "2020-08-13T00:00:00Z", "bugzilla" : { "description" : "librepo: missing path validation in repomd.xml may lead to directory traversal", "id" : "1866498", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1866498" }, "cvss3" : { "cvss3_base_score" : "8.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.", "A flaw was found in librepo. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories." ], "statement" : "This issue is rated as having Moderate impact on Red Hat Enterprise Linux 7 because `DNF` is not installed by default. The `DNF` package is available through the Extras channel as an enhancement to YUM 3. Both Fedora and Red Hat Enterprise Linux leverage transport security and package signatures to ship software to their users in a safe way.\nFedora provides a centralized, non-mirrored Fedora-run metalink service which provides a list if active mirrors and the expected cryptographic digest of the `repomd.xml` files. yum uses this information to select a mirror and verify that it serves the up-to-date, untampered `repomd.xml`. The chain of cryptographic digests is verified from there, eventually leading to verification of the .rpm file contents.\nRed Hat uses a different option to distribute Red Hat Enterprise Linux and its RPM-based products: a content-distribution network, managed by a trusted third party. Furthermore, the repositories provided by Red Hat use a separate public key infrastructure which is managed by Red Hat. For further information, refer to the following articles.\n[1] https://access.redhat.com/blogs/766093/posts/1976693\n[2] https://access.redhat.com/articles/1373143", "acknowledgement" : "Red Hat would like to thank Sergei Iudin for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2020-11-10T00:00:00Z", "advisory" : "RHSA-2020:5012", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "librepo-0:1.8.1-8.el7_9", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-09-08T00:00:00Z", "advisory" : "RHSA-2020:3658", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "librepo-0:1.11.0-3.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date" : "2020-09-15T00:00:00Z", "advisory" : "RHSA-2020:3756", "cpe" : "cpe:/o:redhat:rhel_e4s:8.0", "package" : "librepo-0:1.9.2-2.el8_0" }, { "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date" : "2020-09-15T00:00:00Z", "advisory" : "RHSA-2020:3749", "cpe" : "cpe:/o:redhat:rhel_eus:8.1", "package" : "librepo-0:1.10.3-4.el8_1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14352\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14352" ], "name" : "CVE-2020-14352", "mitigation" : { "value" : "Avoid downloading software from untrusted third-party mirrors. Note that under normal circumstances, this flaw does not pose any threat to Red Hat users, as repositories are fully trusted and controlled by Red Hat.", "lang" : "en:us" }, "csaw" : false }