{
  "threat_severity" : "Moderate",
  "public_date" : "2015-10-21T00:00:00Z",
  "bugzilla" : {
    "description" : "ntp: saveconfig directory traversal vulnerability",
    "id" : "1274260",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1274260"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-22",
  "details" : [ "Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use '\\' or '/' characters for directory separation such as OpenVMS, allows remote authenticated users to overwrite arbitrary files." ],
  "statement" : "This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7. This issue only affected OpenVMS operating systems, which use characters other than \"/\" and \"\\\" for directory separation, allowing exploitation of this flaw.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "ntp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "ntp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "ntp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-7851\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-7851\nhttp://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner\nhttp://talosintel.com/reports/TALOS-2015-0062/" ],
  "name" : "CVE-2015-7851",
  "csaw" : false
}