CVE-2018-0496 - OpenCVE

Directory traversal issues in the D-Mod extractor in DFArc and DFArc2 (as well as in RTsoft's Dink Smallwood HD / ProtonSDK version) before 3.14 allow an attacker to overwrite arbitrary files on the user's system.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Dinknetwork	Dfarc2 Dfarc
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:a:dinknetwork:dfarc::::::::
	cpe:2.3:a:dinknetwork:dfarc2::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

References

Link	Resource
https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998	Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00033.html	Mailing List Third Party Advisory
https://savannah.gnu.org/forum/forum.php?forum_id=9169	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: debian

Published: 2018-06-12T20:00:00

Updated: 2019-02-25T10:57:01

Reserved: 2017-11-27T00:00:00

Link: CVE-2018-0496

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-06-12T20:29:00.467

Modified: 2019-03-01T13:01:38.413

Link: CVE-2018-0496

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "DFArc2 before 3.14 unknown", "vendor": "n/a", "versions": [{"status": "affected", "version": "DFArc2 before 3.14 unknown"}]}], "datePublic": "2018-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal issues in the D-Mod extractor in DFArc and DFArc2 (as well as in RTsoft's Dink Smallwood HD / ProtonSDK version) before 3.14 allow an attacker to overwrite arbitrary files on the user's system."}], "problemTypes": [{"descriptions": [{"description": "Directory traversal", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-02-25T10:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://savannah.gnu.org/forum/forum.php?forum_id=9169"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998"}, {"name": "[debian-lts-announce] 20190224 [SECURITY] [DLA 1686-1] freedink-dfarc security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00033.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2018-0496", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DFArc2 before 3.14 unknown", "version": {"version_data": [{"version_value": "DFArc2 before 3.14 unknown"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal issues in the D-Mod extractor in DFArc and DFArc2 (as well as in RTsoft's Dink Smallwood HD / ProtonSDK version) before 3.14 allow an attacker to overwrite arbitrary files on the user's system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Directory traversal"}]}]}, "references": {"reference_data": [{"name": "https://savannah.gnu.org/forum/forum.php?forum_id=9169", "refsource": "CONFIRM", "url": "https://savannah.gnu.org/forum/forum.php?forum_id=9169"}, {"name": "https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998", "refsource": "CONFIRM", "url": "https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998"}, {"name": "[debian-lts-announce] 20190224 [SECURITY] [DLA 1686-1] freedink-dfarc security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00033.html"}]}}}}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2018-0496", "datePublished": "2018-06-12T20:00:00", "dateReserved": "2017-11-27T00:00:00", "dateUpdated": "2019-02-25T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dinknetwork:dfarc:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAB579C4-1E77-4A3B-8A1F-C9486083E6C3", "versionEndExcluding": "3.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:dinknetwork:dfarc2:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E62EA6B-A821-44A3-ADEC-91D2209FC4B3", "versionEndExcluding": "3.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Directory traversal issues in the D-Mod extractor in DFArc and DFArc2 (as well as in RTsoft's Dink Smallwood HD / ProtonSDK version) before 3.14 allow an attacker to overwrite arbitrary files on the user's system."}, {"lang": "es", "value": "Problemas de salto de directorio en el extractor D-Mod en DFArc y DFArc2 (as\u00ed como en Dink Smallwood HD / ProtonSDK, de RTsoft) en versiones anteriores a la 3.14 permite que un atacante sobrescriba archivos arbitrarios en el sistema del usuario."}], "id": "CVE-2018-0496", "lastModified": "2019-03-01T13:01:38.413", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-12T20:29:00.467", "references": [{"source": "security@debian.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998"}, {"source": "security@debian.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00033.html"}, {"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "https://savannah.gnu.org/forum/forum.php?forum_id=9169"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}