CVE-2009-3304

GForge 4.5.14, 4.7 rc2, and 4.8.2 - Arbitrary File Overwrite via Symlink Attack on Authorized Keys

Title source: llm

Description

GForge 4.5.14, 4.7 rc2, and 4.8.2 allows local users to overwrite arbitrary files via a symlink attack on authorized_keys files in users' home directories, related to deb-specific/ssh_dump_update.pl and cronjobs/cvs-cron/ssh_create.php.

References (3)

Core 3

Core References

Patch x_refsource_confirm

http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13.diff.gz

Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/37195

Patch vendor-advisory x_refsource_debian

http://www.debian.org/security/2009/dsa-1945

Scores

EPSS 0.0031

EPSS Percentile 22.9%

Details

CWE

CWE-59

Status published

Products (3)

gforge/gforge 4.5.14

gforge/gforge 4.7 rc2

gforge/gforge 4.8.2

Published Dec 04, 2009

Tracked Since Feb 18, 2026