CVE-2015-1395

moderate-risk

Published 2017-08-25

Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a .. (dot dot) in a diff file name.

Do I need to act?

2.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (6)

Ubuntu Linux

Patch

Fedora

Affected Vendors

Fedoraproject Gnu Canonical

References (18)

Patch http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154214.html

Patch http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.ht...

Mailing List http://www.openwall.com/lists/oss-security/2015/01/27/28

Third Party Advisory http://www.securityfocus.com/bid/72846

Patch http://www.ubuntu.com/usn/USN-2651-1

Issue Tracking https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1184490

Issue Tracking https://git.savannah.gnu.org/cgit/patch.git/commit/?id=17953b5893f7c9835f0dd2a70...

Patch https://savannah.gnu.org/bugs/?44059