Pacman Project Pacman 3.3.2

CPE Details

Pacman Project Pacman 3.3.2
pacman_project
pacman
3.3.2
2019-08-06
13h47 +00:00
2019-08-06
13h47 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:pacman_project:pacman:3.3.2:*:*:*:*:*:*:*

Informations

Vendor

pacman_project

Product

pacman

Version

3.3.2

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2019-18182 2020-02-24 13h38 +00:00 pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package.
9.8
Critical
CVE-2019-18183 2020-02-24 13h36 +00:00 pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file.
9.8
Critical
CVE-2019-9686 2019-03-11 15h00 +00:00 pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c.
8.8
High
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.