[Japanese]

JVNDB-2004-000170

Lha Directory Traversal Vulnerability in Testing and Extracting Process

Overview

LHa for UNIX is vulnerable to directory traversal due to improper path validation when testing or extracting an archive.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.4 (Medium) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


LHa for UNIX project
  • LHa for UNIX 1.17 and earlier
Red Hat, Inc.
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux Desktop 3.0
  • Red Hat Linux 9
  • Red Hat Linux Advanced Workstation 2.1

Impact

An attacker could bypass access restriction and create arbitrary files in the directories for which he has no permission.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

LHa for UNIX project Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2004-0235
References

  1. National Vulnerability Database (NVD) : CVE-2004-0235
  2. Open Vulnerability and Assessment Language (OVAL) : 978
  3. SecurityFocus : 10243
  4. SecurityFocus : LHA Advisory + Patch (marc.info)
  5. ISS X-Force Database : 16013
Revision History

  • [2008/05/21]
      Web page published