CVE-2018-1000849

Published: Dec 20, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Alpine Linux version Versions prior to 2.6.10, 2.7.6, and 2.10.1 contains a Other/Unknown vulnerability in apk-tools (Alpine Linux' package manager) that can result in Remote Code Execution. This attack appear to be exploitable via A specially crafted APK-file can cause apk to write arbitrary data to an attacker-specified file, due to bugs in handling long link target name and the way a regular file is extracted.. This vulnerability appears to have been fixed in 2.6.10, 2.7.6, and 2.10.1.

Affected (3)

Products: Alpinelinux: Alpine Linux

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Alpinelinux Alpine Linux	Before 2.6.10
Alpinelinux Alpine Linux	From 2.7.0 to 2.7.6
Alpinelinux Alpine Linux	From 2.7.7 to 2.10.1

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

https://alpinelinux.org/posts/Alpine-3.8.1-released.html

Source: cve@mitre.org

Vendor Advisory

https://git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1

Source: cve@mitre.org

PatchVendor Advisory

https://justi.cz/security/2018/09/13/alpine-apk-rce.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://alpinelinux.org/posts/Alpine-3.8.1-released.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://justi.cz/security/2018/09/13/alpine-apk-rce.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.