What is CVE-2017-7501?

CVE-2017-7501 is a vulnerability found in versions of rpm before 4.13.0.2 that allows an attacker to create symbolic links to an arbitrary location and modify content during the installation of an RPM.

How does CVE-2017-7501 impact me?

If you are using a version of rpm before 4.13.0.2, an attacker with write access to the installation directory can exploit this vulnerability to modify the content and potentially gain unauthorized access.

What is the severity of CVE-2017-7501?

CVE-2017-7501 has a severity rating of 7.8 (high).

How do I fix the CVE-2017-7501 vulnerability?

To fix the CVE-2017-7501 vulnerability, you should update to version 4.13.0.2 or later of rpm.

Where can I find more information about CVE-2017-7501?

You can find more information about CVE-2017-7501 at the following references: - [GitHub Commit](https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc) - [Apache Mailing List Thread 1](https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E) - [Apache Mailing List Thread 2](https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E)

Vulnerability/
CVE-2017-7501

high

7.8

CWE

22/11/2017

17/9/2024

CVE-2017-7501

First published: Wed Nov 22 2017(Updated: )

It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Rpm Rpm	<4.13.0.3

Remedy

https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2017-7501?
CVE-2017-7501 is a vulnerability found in versions of rpm before 4.13.0.2 that allows an attacker to create symbolic links to an arbitrary location and modify content during the installation of an RPM.
How does CVE-2017-7501 impact me?
If you are using a version of rpm before 4.13.0.2, an attacker with write access to the installation directory can exploit this vulnerability to modify the content and potentially gain unauthorized access.
What is the severity of CVE-2017-7501?
CVE-2017-7501 has a severity rating of 7.8 (high).
How do I fix the CVE-2017-7501 vulnerability?
To fix the CVE-2017-7501 vulnerability, you should update to version 4.13.0.2 or later of rpm.
Where can I find more information about CVE-2017-7501?
You can find more information about CVE-2017-7501 at the following references: - [GitHub Commit](https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc) - [Apache Mailing List Thread 1](https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E) - [Apache Mailing List Thread 2](https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E)

collector/nvd-index
agent/references
agent/weakness
agent/event
agent/severity
agent/author
agent/type
agent/description
agent/remedy
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/rpm
canonical/rpm rpm