CVE-2014-3127

Description

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.

Category

7.1
CVSS
Severity: High
CVSS 2.0 •
EPSS 1.50% Top 20%
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
http://metadata.ftp-master.debian.org/changelogs//main/d/dpkg/dpkg_1.15.10_changelog
http://seclists.org/oss-sec/2014/q2/191 mailing list
http://seclists.org/oss-sec/2014/q2/227 mailing list
http://www.securityfocus.com/bid/67181 vdb entry

Frequently Asked Questions

What is the severity of CVE-2014-3127?
CVE-2014-3127 has been scored as a high severity vulnerability.
How to fix CVE-2014-3127?
To fix CVE-2014-3127, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2014-3127 being actively exploited in the wild?
It is possible that CVE-2014-3127 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.