{"id":"MGASA-2020-0429","summary":"Updated librepo packages fix a security vulnerability","details":"It was discovered that librepo was subject to a directory traversal vulnerability\nwhere it failed to sanitize paths in remote repository metadata. An attacker\ncontrolling a remote repository may be able to copy files outside of the\ndestination directory on the targeted system via path traversal. This flaw\ncould potentially result in system compromise via the overwriting of critical\nsystem files (CVE-2020-14352).\n","modified":"2026-04-16T04:44:39.238872868Z","published":"2020-11-21T12:21:00Z","upstream":["CVE-2020-14352"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0429.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27241"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/33RX4P5R5YL4NZSFSE4NOX37X6YCXAS4/"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:5012"},{"type":"WEB","url":"https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00072.html"}],"affected":[{"package":{"name":"librepo","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/librepo?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.3-1.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0429.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}