CVE-2014-3865 - Vulnerability Details - OpenCVE

Description

Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.

Published: 2014-05-30

Score: 6.4 Medium

EPSS: 5.3% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:debian:dpkg-dev:1.3.0:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2014-3802	Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.
Ubuntu USN	USN-2242-1	dpkg vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0529.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://openwall.com/lists/oss-security/2014/05/25/2
http://www.debian.org/security/2014/dsa-2953
http://www.securityfocus.com/bid/67727
http://www.ubuntu.com/usn/USN-2242-1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183

History

No history.

Subscriptions

Debian Dpkg-dev

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-05-30T18:00:00.000Z

Updated: 2024-08-06T10:57:17.636Z

Reserved: 2014-05-25T00:00:00.000Z

Link: CVE-2014-3865

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-05-30T18:55:06.100

Modified: 2026-05-06T22:30:45.220

Link: CVE-2014-3865

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-22

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-05-25T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-28T19:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "USN-2242-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"name": "DSA-2953", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2953"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}, {"name": "[oss-security] 20140525 CVE request: another path traversal in dpkg-source during unpack", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"name": "67727", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/67727"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-3865", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "USN-2242-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"name": "DSA-2953", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2953"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183", "refsource": "CONFIRM", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}, {"name": "[oss-security] 20140525 CVE request: another path traversal in dpkg-source during unpack", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"name": "67727", "refsource": "BID", "url": "http://www.securityfocus.com/bid/67727"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:57:17.636Z"}, "title": "CVE Program Container", "references": [{"name": "USN-2242-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"name": "DSA-2953", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2953"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}, {"name": "[oss-security] 20140525 CVE request: another path traversal in dpkg-source during unpack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"name": "67727", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/67727"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-3865", "datePublished": "2014-05-30T18:00:00.000Z", "dateReserved": "2014-05-25T00:00:00.000Z", "dateUpdated": "2024-08-06T10:57:17.636Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:dpkg-dev:1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "7BCB8709-8C0B-433D-9854-295852AF8A38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de salto de directorio en dpkg-source en dpkg-dev 1.3.0 permiten a atacantes remotos modificar archivos fuera de los directorios intencionados a trav\u00e9s de un paquete fuente con una pseudo-cabecera Index: manipulada en conjunto con (1) l\u00edneas de cabecera missing --- and +++ o (2) una l\u00ednea de cabecera +++ con un nombre de ruta en blanco."}], "id": "CVE-2014-3865", "lastModified": "2026-05-06T22:30:45.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-05-30T18:55:06.100", "references": [{"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2014/dsa-2953"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/67727"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"source": "cve@mitre.org", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2014/05/25/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-2953"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/67727"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2242-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}