pvpgn 1.8.1 Installer link following

Summaryinfo

A vulnerability marked as problematic has been reported in pvpgn 1.8.1. This impacts an unknown function of the component Installer. The manipulation leads to link following. This vulnerability is traded as CVE-2008-5370. There is no exploit available.

Detailsinfo

A vulnerability was found in pvpgn 1.8.1 and classified as critical. This issue affects an unknown code of the component Installer. The manipulation with an unknown input leads to a link following vulnerability. Using CWE to declare the problem leads to CWE-59. The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

pvpgn-support-installer in pvpgn 1.8.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pvpgn-support-1.0.tar.gz temporary file.

The weakness was shared 12/08/2008 (Website). The advisory is shared at lists.debian.org. The identification of this vulnerability is CVE-2008-5370 since 12/08/2008. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entries VDB-46955, VDB-45331, VDB-45328 and VDB-45326 are related to this item. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• pvpgn

Version

• 1.8.1

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion