Vulnerability Details CVE-2017-14804
The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 61.6%
CVSS Severity
CVSS v3 Score 9.9
CVSS v2 Score 5.0
References
- https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html
- https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html
- https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html
- https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html
- https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html
- https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html
Products affected by CVE-2017-14804
-
cpe:2.3:o:opensuse:leap:42.2
-
cpe:2.3:o:opensuse:leap:42.3
-
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11
-
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12