ID CVE-2008-1687
Summary The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename.
References
Vulnerable Configurations
  • cpe:2.3:a:gnu:m4:*:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:m4:*:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 08-08-2017 - 01:30)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
bid 28688
mlist
  • [oss-security] 20080406 Re: Security fixes in m4-1.4.11
  • [oss-security] 20080406 Security fixes in m4-1.4.11
  • [oss-security] 20080407 Re: Security fixes in m4-1.4.11
secunia
  • 29671
  • 29729
slackware SSA:2008-098-01
vupen ADV-2008-1151
xf gnu-m4-macros-weak-security(41706)
statements via4
contributor Joshua Bressers
lastmodified 2008-04-15
organization Red Hat
statement Red Hat does not consider this to be a security issue. After careful analysis of this issue the Red Hat Security Response Team has determined that this bug has no security impact outside of expected m4 behavior.
Last major update 08-08-2017 - 01:30
Published 09-04-2008 - 19:05
Back to Top