deepin-clone up to 1.1.2
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.3 | $0-$5k | 0.00 |
Summary
A vulnerability was found in deepin-clone up to 1.1.2. It has been rated as problematic. This impacts the function Helper::temporaryMountDevice of the file /tmp/.deepin-clone/mount/<block-dev-basename. The manipulation as part of Symlink leads to link following.
This vulnerability is listed as CVE-2019-13226. The attack must be carried out locally. There is no available exploit.
Upgrading the affected component is advised.
Details
A vulnerability, which was classified as critical, has been found in deepin-clone up to 1.1.2. This issue affects the function Helper::temporaryMountDevice of the file /tmp/.deepin-clone/mount/<block-dev-basename. The manipulation as part of a Symlink leads to a link following vulnerability. Using CWE to declare the problem leads to CWE-59. The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. An unprivileged user can prepare a symlink at this location to have the file system mounted in an arbitrary location. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system.
The weakness was presented 07/04/2019 (oss-sec). The advisory is shared at openwall.com. The identification of this vulnerability is CVE-2019-13226 since 07/04/2019. An attack has to be approached locally. The successful exploitation requires a simple authentication. Technical details are known, but no exploit is available.
Upgrading to version 1.1.3 eliminates this vulnerability.
See VDB-137334, VDB-137335 and VDB-137336 for similar entries. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.4VulDB Meta Temp Score: 7.3
VulDB Base Score: 7.8
VulDB Temp Score: 7.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.0
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Link followingCWE: CWE-59
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: deepin-clone 1.1.3
Patch: github.com
Timeline
07/04/2019 🔍07/04/2019 🔍
07/05/2019 🔍
10/17/2023 🔍
Sources
Advisory: e079f3e2712b4f8c28e3e63e71ba1a1f90fce1abStatus: Not defined
CVE: CVE-2019-13226 (🔍)
GCVE (CVE): GCVE-0-2019-13226
GCVE (VulDB): GCVE-100-137333
See also: 🔍
Entry
Created: 07/05/2019 06:57Updated: 10/17/2023 11:01
Changes: 07/05/2019 06:57 (42), 07/01/2020 09:57 (17), 10/17/2023 10:54 (5), 10/17/2023 11:01 (1)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.