CVE-2018-10897 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-10897 Interim 1 18 2025-02-17T02:49:01Z current 2021-05-30T14:13:05Z 2025-02-17T02:49:01Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-10897 A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 SUSE Liberty Linux 7 SUSE OpenStack Cloud 8 yum-NetworkManager-dispatcher-1.1.31-46.el7_5 yum-plugin-aliases-1.1.31-46.el7_5 yum-plugin-auto-update-debug-info-1.1.31-46.el7_5 yum-plugin-changelog-1.1.31-46.el7_5 yum-plugin-copr-1.1.31-46.el7_5 yum-plugin-fastestmirror-1.1.31-46.el7_5 yum-plugin-filter-data-1.1.31-46.el7_5 yum-plugin-fs-snapshot-1.1.31-46.el7_5 yum-plugin-keys-1.1.31-46.el7_5 yum-plugin-list-data-1.1.31-46.el7_5 yum-plugin-local-1.1.31-46.el7_5 yum-plugin-merge-conf-1.1.31-46.el7_5 yum-plugin-ovl-1.1.31-46.el7_5 yum-plugin-post-transaction-actions-1.1.31-46.el7_5 yum-plugin-pre-transaction-actions-1.1.31-46.el7_5 yum-plugin-priorities-1.1.31-46.el7_5 yum-plugin-protectbase-1.1.31-46.el7_5 yum-plugin-ps-1.1.31-46.el7_5 yum-plugin-remove-with-leaves-1.1.31-46.el7_5 yum-plugin-rpm-warm-cache-1.1.31-46.el7_5 yum-plugin-show-leaves-1.1.31-46.el7_5 yum-plugin-tmprepo-1.1.31-46.el7_5 yum-plugin-tsflags-1.1.31-46.el7_5 yum-plugin-upgrade-helper-1.1.31-46.el7_5 yum-plugin-verify-1.1.31-46.el7_5 yum-plugin-versionlock-1.1.31-46.el7_5 yum-updateonboot-1.1.31-46.el7_5 yum-utils yum-utils-1.1.31-46.el7_5 yum-NetworkManager-dispatcher-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-aliases-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-auto-update-debug-info-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-changelog-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-copr-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-fastestmirror-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-filter-data-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-fs-snapshot-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-keys-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-list-data-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-local-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-merge-conf-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-ovl-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-post-transaction-actions-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-pre-transaction-actions-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-priorities-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-protectbase-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-ps-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-remove-with-leaves-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-rpm-warm-cache-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-show-leaves-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-tmprepo-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-tsflags-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-upgrade-helper-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-verify-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-plugin-versionlock-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-updateonboot-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-utils-1.1.31-46.el7_5 as a component of SUSE Liberty Linux 7 yum-utils as a component of HPE Helion OpenStack 8 yum-utils as a component of SUSE OpenStack Cloud 8 A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected. CVE-2018-10897 SUSE Liberty Linux 7:yum-NetworkManager-dispatcher-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-aliases-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-auto-update-debug-info-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-changelog-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-copr-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-fastestmirror-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-filter-data-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-fs-snapshot-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-keys-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-list-data-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-local-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-merge-conf-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-ovl-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-post-transaction-actions-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-pre-transaction-actions-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-priorities-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-protectbase-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-ps-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-remove-with-leaves-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-rpm-warm-cache-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-show-leaves-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-tmprepo-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-tsflags-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-upgrade-helper-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-verify-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-plugin-versionlock-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-updateonboot-1.1.31-46.el7_5 SUSE Liberty Linux 7:yum-utils-1.1.31-46.el7_5 HPE Helion OpenStack 8:yum-utils SUSE OpenStack Cloud 8:yum-utils important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H