Diffoscope may write to arbitrary locations due to an untrusted archive · CVE-2017-0359 · GitHub Advisory Database · GitHub

Diffoscope may write to arbitrary locations due to an untrusted archive

Critical severity GitHub Reviewed Published Jul 13, 2018 to the GitHub Advisory Database • Updated Sep 5, 2023

Package

diffoscope (pip)

Affected versions

< 76

Patched versions

76

Description

diffoscope before 76 writes to arbitrary locations on disk based on the contents of an untrusted archive.

References

Published to the GitHub Advisory Database Jul 13, 2018

Reviewed Jun 16, 2020

Last updated Sep 5, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H