CVE-2014-3865 - Vulnerability Details - OpenCVE

Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Dpkg-dev

Configuration 1 [-]

cpe:2.3:a:debian:dpkg-dev:1.3.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://openwall.com/lists/oss-security/2014/05/25/2
http://www.debian.org/security/2014/dsa-2953
http://www.securityfocus.com/bid/67727
http://www.ubuntu.com/usn/USN-2242-1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-05-30T18:00:00

Updated: 2024-08-06T10:57:17.636Z

Reserved: 2014-05-25T00:00:00

Link: CVE-2014-3865

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-05-30T18:55:06.100

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-3865

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-05-25T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-28T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "USN-2242-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"name": "DSA-2953", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2953"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}, {"name": "[oss-security] 20140525 CVE request: another path traversal in dpkg-source during unpack", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"name": "67727", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/67727"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2014-3865", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "USN-2242-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"name": "DSA-2953", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2953"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183", "refsource": "CONFIRM", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}, {"name": "[oss-security] 20140525 CVE request: another path traversal in dpkg-source during unpack", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"name": "67727", "refsource": "BID", "url": "http://www.securityfocus.com/bid/67727"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:57:17.636Z"}, "title": "CVE Program Container", "references": [{"name": "USN-2242-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"name": "DSA-2953", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2953"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}, {"name": "[oss-security] 20140525 CVE request: another path traversal in dpkg-source during unpack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"name": "67727", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/67727"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-3865", "datePublished": "2014-05-30T18:00:00", "dateReserved": "2014-05-25T00:00:00", "dateUpdated": "2024-08-06T10:57:17.636Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:dpkg-dev:1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "7BCB8709-8C0B-433D-9854-295852AF8A38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de salto de directorio en dpkg-source en dpkg-dev 1.3.0 permiten a atacantes remotos modificar archivos fuera de los directorios intencionados a trav\u00e9s de un paquete fuente con una pseudo-cabecera Index: manipulada en conjunto con (1) l\u00edneas de cabecera missing --- and +++ o (2) una l\u00ednea de cabecera +++ con un nombre de ruta en blanco."}], "id": "CVE-2014-3865", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-05-30T18:55:06.100", "references": [{"source": "[email protected]", "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"source": "[email protected]", "url": "http://www.debian.org/security/2014/dsa-2953"}, {"source": "[email protected]", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/67727"}, {"source": "[email protected]", "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"source": "[email protected]", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-2953"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/67727"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Primary"}]}