CVE-2017-18196

LOW

leptonica 1.74.4 - Path Traversal via /tmp Subdirectory

Title source: llm
STIX 2.1

Description

Leptonica 1.74.4 constructs unintended pathnames (containing duplicated path components) when operating on files in /tmp subdirectories, which might allow local users to bypass intended file restrictions by leveraging access to a directory located deeper within the /tmp directory tree, as demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif.

References (2)

Core 2
Core References
Mailing List, Third Party Advisory
https://bugs.debian.org/885704
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202312-01

Scores

CVSS v3 3.3
EPSS 0.0042
EPSS Percentile 34.1%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
leptonica/leptonica 1.74.4
Published Feb 23, 2018
Tracked Since Feb 18, 2026