CVE-2011-2185

Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/.

Published Bysecalert@redhat.com

Published DateJul 27, 2011, 02:55

Affected Versions(1)

fabric(PyPI)

Introduced0

Fixed1.1.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
fabric(PyPI)	0	1.1.0	N/A

Weakness Type (CWE):CWE-59

CVSS Metrics

Base Score

4.4

Vector String

AV:L/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629003
http://code.fabfile.org/projects/fabric/files/Fabric-1.1.0.tar.gz
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062534.html
http://www.openwall.com/lists/oss-security/2011/06/03/5
http://www.openwall.com/lists/oss-security/2011/06/06/12
https://bugzilla.redhat.com/show_bug.cgi?id=710462

Weakness Type (CWE):CWE-59

CVSS Metrics

Base Score

4.4

Vector String

AV:L/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL