filediff Command Injection

vendor:

CVS

by:

Unknown

7.5

CVSS

HIGH

Command Injection

CWE

Product Name: CVS

Affected Version From: 1.12.2000

Affected Version To: 1.12.8, 1.11.0-1.11.16

Patch Exists: YES

Related CWE: CVE-2004-0416

CPE: a:gnu:cvs:1.12.8, cpe:/a:gnu:cvs:1.11.16

Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2004-0416/

Other Scripts:

Platforms Tested:

2004

The filediff command in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, allows remote attackers to execute arbitrary commands via a repository name with a -r (aka revision) option containing a shell metacharacter.

Mitigation:

Upgrade to a patched version of CVS.

Source

filediff Command Injection

Mitigation:

Exploit-DB raw data: