CVE-2013-4472

Published: Apr 22, 2014Modified: May 6, 2026

3.3

Vector

AV:L/AC:M/Au:N/C:N/I:P/A:P

Exploitability: 3.4 / Impact: 4.9

Source: NVD

Description

The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Affected (4)

Products: Freedesktop: Poppler

Freedesktop

1 product

Poppler

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Freedesktop Poppler	Up to 0.24.3
Freedesktop Poppler	Version 0.24.0
Freedesktop Poppler	Version 0.24.1
Freedesktop Poppler	Version 0.24.2

Related CWEs

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (8)

http://osvdb.org/99064

Source: secalert@redhat.com

http://poppler.freedesktop.org/releases.html

Source: secalert@redhat.com

http://seclists.org/oss-sec/2013/q4/181

Source: secalert@redhat.com

http://seclists.org/oss-sec/2013/q4/183

Source: secalert@redhat.com

http://osvdb.org/99064

Source: af854a3a-2127-422b-91ae-364da2661108

http://poppler.freedesktop.org/releases.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/oss-sec/2013/q4/181

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/oss-sec/2013/q4/183

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.