Arbitrary File Access Affecting logilab-common package, versions [0.38.1,0.61.0)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
0.04% (6th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-LOGILABCOMMON-40032
- published 30 Jan 2014
- disclosed 30 Jan 2014
- credit Jakub Wilk
Introduced: 30 Jan 2014
CVE-2014-1838 Open this link in a new tabHow to fix?
Upgrade to version 0.61.0
or greater.
Overview
logilab-common
is a collection of low-level Python packages and modules used by Logilab projects
Affected versions of this package are vulnerable to Insecure use of temporary file attacks. The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.