Vulnerability Details : CVE-2007-2452
Heap-based buffer overflow in the visit_old_format function in locate/locate.c in locate in GNU findutils before 4.2.31 might allow context-dependent attackers to execute arbitrary code via a long pathname in a locate database that has the old format, a different vulnerability than CVE-2001-1036.
Vulnerability category: OverflowExecute code
Exploit prediction scoring system (EPSS) score for CVE-2007-2452
Probability of exploitation activity in the next 30 days: 0.77%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 81 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2007-2452
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
Vendor statements for CVE-2007-2452
-
Red Hat 2007-06-11Not vulnerable. Red Hat did not ship GNU locate in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue does not affect the ’mlocate’ or ’slocate’ packages that are supplied with Red Hat Enterprise Linux.
-
http://www.securityfocus.com/archive/1/470108/100/0/threaded
-
http://www.securitytracker.com/id?1018183
-
http://www.vupen.com/english/advisories/2010/1796
Webmail | OVH- OVH
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/34628
-
http://www.vupen.com/english/advisories/2007/2015
-
http://securityreason.com/securityalert/2760
- http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083
-
http://www.securityfocus.com/bid/24250
Patch
- cpe:2.3:a:gnu:findutils:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:findutils:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:findutils:4.2.29:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:findutils:4.2.30:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:findutils:4.2.28:*:*:*:*:*:*:*