CVE-2020-26277

Published: Dic 21, 2020 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2022-0806 Aliases: GHSA-47wr-426j-fr82
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,1
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: required
Scope: changed
Confidentiality: none
Integrity: high
Availability: none
MEDIUM 4,0
Source: [email protected]
Access Vector: network
Access Complexity: high
Authentication: none
Confidentiality: none
Integrity: partial
Availability: partial

Description

AI Translation Available

DBdeployer is a tool that deploys MySQL database servers easily. In DBdeployer before version 1.58.2, users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defenses. For the attack to succeed, the following factors need to contribute: 1) The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user. 2) The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack. This has been fixed in version 1.58.2.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0030
Percentile
0,5th
Updated

EPSS Score Trend (Last 90 Days)

59

Improper Link Resolution Before File Access ('Link Following')

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Other
Potential Impacts:
Read Files Or Directories Modify Files Or Directories Bypass Protection Mechanism Execute Unauthorized Code Or Commands
Applicable Platforms
Operating Systems: Windows, Unix
Likelihood of Exploit: Medium
View CWE Details
Application

Dbdeployer by Dbdeployer

Product Information
Vendor Dbdeployer
Product Dbdeployer
Version Range Affected
To 1.58.2 (exclusive)
cpe:2.3:a:dbdeployer:dbdeployer:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/datacharmer/dbdeployer/commit/548e256c1d…
Patch Third Party Advisory
https://github.com/datacharmer/dbdeployer/commit/548e256c1de2f99746e861454e7714…
https://github.com/datacharmer/dbdeployer/security/advisori…
Third Party Advisory
https://github.com/datacharmer/dbdeployer/security/advisories/GHSA-47wr-426j-fr…
https://github.com/datacharmer/dbdeployer/commit/548e256c1d…
Patch Third Party Advisory
https://github.com/datacharmer/dbdeployer/commit/548e256c1de2f99746e861454e7714…
https://github.com/datacharmer/dbdeployer/security/advisori…
Third Party Advisory
https://github.com/datacharmer/dbdeployer/security/advisories/GHSA-47wr-426j-fr…