Homepage
About Snyk

Directory Traversal Affecting yum-plugin-priorities package, versions <0:1.1.31-46.30.amzn1

0.0
high

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.69% (80th percentile)
Expand this section
NVD
8.1 high
Expand this section
Red Hat
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-AMZN201803-YUMPLUGINPRIORITIES-1715521
  • published 27 Sep 2021
  • disclosed 1 Aug 2018
Report a new vulnerability Found a mistake?

Introduced: 1 Aug 2018

CVE-2018-10897 Open this link in a new tab
CWE-22 Open this link in a new tab

How to fix?

Upgrade Amazon-Linux:2018.03 yum-plugin-priorities to version 0:1.1.31-46.30.amzn1 or higher.
This issue was patched in ALAS-2018-1057.

NVD Description

Note: Versions mentioned in the description apply only to the upstream yum-plugin-priorities package and not the yum-plugin-priorities package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected.