CVE-2020-14352
HIGHlibrepo < 1.12.1 - Path Traversal via Remote Repository Metadata
Title source: llmDescription
A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.
References (6)
Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1866498
Mailing List, Patch, Third Party Advisory x_refsource_misc
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00072.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00055.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OOMDEQBRJ7SO2QWL7H23G3VV2VSCUYOY/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XDMHVY7OMIJNSPVZ2GJWHT77Z5V3YJ55/
Scores
CVSS v3
8.0
EPSS
0.0410
EPSS Percentile
88.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (6)
fedoraproject/fedora
31
fedoraproject/fedora
32
fedoraproject/fedora
33
opensuse/backports_sle
15.0 sp2
opensuse/leap
15.2
redhat/librepo
< 1.12.1
Published
Aug 30, 2020
Tracked Since
Feb 18, 2026