[Forgot Password]
Login  Register Subscribe

30430

 
 

423868

 
 

247768

 
 

909

 
 

194555

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2019-13638Date: (C)2019-07-29   (M)2023-12-22


GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 7.8CVSS Score : 9.3
Exploit Score: 1.8Exploit Score: 8.6
Impact Score: 5.9Impact Score: 10.0
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: LOCALAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: MEDIUM
Privileges Required: NONEAuthentication: NONE
User Interaction: REQUIREDConfidentiality: COMPLETE
Scope: UNCHANGEDIntegrity: COMPLETE
Confidentiality: HIGHAvailability: COMPLETE
Integrity: HIGH 
Availability: HIGH 
  
Reference:
https://seclists.org/bugtraq/2019/Jul/54
https://seclists.org/bugtraq/2019/Aug/29
DSA-4489
FEDORA-2019-ac709da87f
GLSA-201908-22
RHSA-2019:2798
RHSA-2019:2964
RHSA-2019:3757
RHSA-2019:3758
RHSA-2019:4061
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
https://github.com/irsl/gnu-patch-vulnerabilities
https://security-tracker.debian.org/tracker/CVE-2019-13638
https://security.netapp.com/advisory/ntap-20190828-0001/

CPE    2
cpe:/o:debian:debian_linux:9.0
cpe:/o:debian:debian_linux:8.0
CWE    1
CWE-78
OVAL    15
oval:org.secpod.oval:def:503340
oval:org.secpod.oval:def:503357
oval:org.secpod.oval:def:57798
oval:org.secpod.oval:def:57814
...

© SecPod Technologies