CVE-2008-1687 - Vulnerability Details - OpenCVE

The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.02727.

Key SSVC decision points have not yet been added.

Vendors	Products
Gnu	M4

Configuration 1 [-]

cpe:2.3:a:gnu:m4:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://secunia.com/advisories/29671
http://secunia.com/advisories/29729
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.510612
http://www.openwall.com/lists/oss-security/2008/04/07/1
http://www.openwall.com/lists/oss-security/2008/04/07/12
http://www.openwall.com/lists/oss-security/2008/04/07/3
http://www.openwall.com/lists/oss-security/2008/04/07/4
http://www.securityfocus.com/bid/28688
http://www.vupen.com/english/advisories/2008/1151/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41706
https://www.cve.org/CVERecord?id=CVE-2008-1687

History

Wed, 28 May 2025 14:45:00 +0000

Type	Values Removed	Values Added
References		https://www.cve.org/CVERecord?id=CVE-2008-1687

Thu, 22 May 2025 04:30:00 +0000

Type	Values Removed	Values Added
References	https://nvd.nist.gov/vuln/detail/CVE-2008-1687 https://www.cve.org/CVERecord?id=CVE-2008-1687

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-04-09T19:00:00

Updated: 2024-08-07T08:32:01.011Z

Reserved: 2008-04-06T00:00:00

Link: CVE-2008-1687

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-04-09T19:05:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-1687

Redhat

Severity :

Publid Date: 2008-04-02T00:00:00Z

Links: CVE-2008-1687 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-04-06T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2008-1151", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/1151/references"}, {"name": "28688", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/28688"}, {"name": "[oss-security] 20080407 Re: Security fixes in m4-1.4.11", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2008/04/07/12"}, {"name": "gnu-m4-macros-weak-security(41706)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41706"}, {"name": "29671", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29671"}, {"name": "[oss-security] 20080406 Re: Security fixes in m4-1.4.11", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2008/04/07/3"}, {"name": "[oss-security] 20080407 Re: Security fixes in m4-1.4.11", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2008/04/07/4"}, {"name": "29729", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29729"}, {"name": "[oss-security] 20080406 Security fixes in m4-1.4.11", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2008/04/07/1"}, {"name": "SSA:2008-098-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE"], "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.510612"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-1687", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2008-1151", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/1151/references"}, {"name": "28688", "refsource": "BID", "url": "http://www.securityfocus.com/bid/28688"}, {"name": "[oss-security] 20080407 Re: Security fixes in m4-1.4.11", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/12"}, {"name": "gnu-m4-macros-weak-security(41706)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41706"}, {"name": "29671", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29671"}, {"name": "[oss-security] 20080406 Re: Security fixes in m4-1.4.11", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/3"}, {"name": "[oss-security] 20080407 Re: Security fixes in m4-1.4.11", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/4"}, {"name": "29729", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29729"}, {"name": "[oss-security] 20080406 Security fixes in m4-1.4.11", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/1"}, {"name": "SSA:2008-098-01", "refsource": "SLACKWARE", "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.510612"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T08:32:01.011Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2008-1151", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/1151/references"}, {"name": "28688", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/28688"}, {"name": "[oss-security] 20080407 Re: Security fixes in m4-1.4.11", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2008/04/07/12"}, {"name": "gnu-m4-macros-weak-security(41706)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41706"}, {"name": "29671", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29671"}, {"name": "[oss-security] 20080406 Re: Security fixes in m4-1.4.11", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2008/04/07/3"}, {"name": "[oss-security] 20080407 Re: Security fixes in m4-1.4.11", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2008/04/07/4"}, {"name": "29729", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29729"}, {"name": "[oss-security] 20080406 Security fixes in m4-1.4.11", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2008/04/07/1"}, {"name": "SSA:2008-098-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE", "x_transferred"], "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.510612"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-1687", "datePublished": "2008-04-09T19:00:00", "dateReserved": "2008-04-06T00:00:00", "dateUpdated": "2024-08-07T08:32:01.011Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:m4:*:*:*:*:*:*:*:*", "matchCriteriaId": "0516018C-BCCA-4F3F-8EE7-FB362EAEFB12", "versionEndIncluding": "1.4.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename."}, {"lang": "es", "value": "Las funciones (1) maketemp y (2) mkstemp incluidas en GNU m4 versiones anteriores a 1.4.11 no citan sus salidas cuando un fichero es creado, lo cual podr\u00eda permitir a atacantes dependientes de contexto disparar una expansi\u00f3n macro, llevando a cabo un uso no especificado de un nombre de fichero incorrecto."}], "id": "CVE-2008-1687", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-04-09T19:05:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29671"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/29729"}, {"source": "cve@mitre.org", "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.510612"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/1"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/12"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/3"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/4"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/28688"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/1151/references"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41706"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29671"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/29729"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.510612"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2008/04/07/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/28688"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/1151/references"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41706"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Red Hat does not consider this to be a security issue. After careful analysis of this issue the Red Hat Security Response Team has determined that this bug has no security impact outside of expected m4 behavior.", "lastModified": "2008-04-15T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}