Vulnerability Details CVE-2019-7282
In NetKit through 0.17, rcp.c in the rcp client allows remote rsh servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. This is similar to CVE-2018-20685.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 73.3%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 4.3
References
- https://bugs.debian.org/920486
- https://lists.debian.org/debian-lts-announce/2021/11/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DU33YVEDGFDMAZPSRQTRVKSKG4FAX7QB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSEX3TKX2DBUKG4A7VJFDLSMZIBJQZ3G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NA24VQJATZWYV42JG2PQUW7IHIZS7UKP/
- https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
- https://bugs.debian.org/920486
- https://lists.debian.org/debian-lts-announce/2021/11/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DU33YVEDGFDMAZPSRQTRVKSKG4FAX7QB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSEX3TKX2DBUKG4A7VJFDLSMZIBJQZ3G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NA24VQJATZWYV42JG2PQUW7IHIZS7UKP/
- https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Products affected by CVE-2019-7282
-
cpe:2.3:a:netkit:netkit:-
-
cpe:2.3:a:netkit:netkit:0.17
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:34
-
cpe:2.3:o:fedoraproject:fedora:35
-
cpe:2.3:o:fedoraproject:fedora:36