CVE-2012-4245
- Public Date:
- 2012-08-16
- Bugzilla:
- 855929: CVE-2012-4245 gimp: arbitrary code execution without authentication in scriptfu network server
The MITRE CVE dictionary describes this issue as:
The scriptfu network server in GIMP 2.6 does not require authentication, which allows remote attackers to execute arbitrary commands via the python-fu-eval command.
Find out more about CVE-2012-4245 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat does not consider this to be a security flaw. The GIMP scriptfu server works as intended and should not be enabled in production environments as it was not designed to have any kind of security protection.
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 5.1 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | gimp | Will not fix |
| Red Hat Enterprise Linux 5 | gimp | Will not fix |
CVE description copyright © 2017, The MITRE Corporation