VIR Vulnerability Intelligence Relay

CVE-2011-4617

low
Published 2022-05-17 Β· Modified 2024-01-19
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
1.2

Description

virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.

Predictions

Exploit likelihood
20%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker Β· View original β†— Β· DFSG

CVE-2011-4617 NameCVE-2011-4617 Descriptionvirtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Debian Bugs652653 Vulnerable and fixed packages The table…

CVE-2011-4617

NameCVE-2011-4617
Descriptionvirtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs652653

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-virtualenv (PTS)bullseye20.4.0+ds-2+deb11u1fixed
bookworm20.17.1+ds-1fixed
trixie20.31.2+ds-1fixed
forky21.3.1+ds-1fixed
sid21.4.1+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-virtualenvsourcesqueeze1.4.9-3squeeze1
python-virtualenvsource(unstable)1.6-1low652653

Notes

[lenny] - python-virtualenv <no-dsa> (Minor issue)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[lenny] - python-virtualenv <no-dsa> (Minor issue)

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 1.6-1
sid Fixed 1.6-1
forky Fixed 1.6-1
bullseye Fixed 1.6-1
bookworm Fixed 1.6-1

Package impact
EcosystemPackageVulnerableFixed
python PyPIvirtualenv<1.51.5

Application impact
VendorProductVersionsFixed
python pythonvirtualenv{"endIncluding":"1.4.9"}
python pythonvirtualenv0.8
python pythonvirtualenv0.8.1
python pythonvirtualenv0.8.2
python pythonvirtualenv0.8.3
python pythonvirtualenv0.8.4
python pythonvirtualenv0.9
python pythonvirtualenv0.9.1
python pythonvirtualenv0.9.2
python pythonvirtualenv1.0
python pythonvirtualenv1.1
python pythonvirtualenv1.1.1
python pythonvirtualenv1.2
python pythonvirtualenv1.3
python pythonvirtualenv1.3.1
python pythonvirtualenv1.3.2
python pythonvirtualenv1.3.3
python pythonvirtualenv1.3.4
python pythonvirtualenv1.4
python pythonvirtualenv1.4.1
python pythonvirtualenv1.4.2
python pythonvirtualenv1.4.3
python pythonvirtualenv1.4.4
python pythonvirtualenv1.4.5
python pythonvirtualenv1.4.6
python pythonvirtualenv1.4.7
python pythonvirtualenv1.4.8

References

CWEs

CWE-59

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.