CVE-2022-48682

In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.

Weakness

The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.

Affected Software

Name	Vendor	Start Version	End Version
Fdupes	Ubuntu	esm-apps/bionic	*
Fdupes	Ubuntu	esm-apps/focal	*
Fdupes	Ubuntu	esm-apps/xenial	*
Fdupes	Ubuntu	focal	*
Fdupes	Ubuntu	jammy	*
Fdupes	Ubuntu	upstream	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/27.html
https://cwe.mitre.org/data/definitions/29.html

References

https://bugzilla.suse.com/show_bug.cgi?id=1200381
https://github.com/adrianlopezroche/fdupes/blob/4b6bcde1b3eb1cebe87cd30814f7d6cf4ee46e95/fdupes.c
https://github.com/adrianlopezroche/fdupes/commit/85680897148f1ac33b55418e00334116e419717f
https://github.com/adrianlopezroche/fdupes/compare/v2.1.2...v2.2.0
https://bugzilla.suse.com/show_bug.cgi?id=1200381
https://github.com/adrianlopezroche/fdupes/blob/4b6bcde1b3eb1cebe87cd30814f7d6cf4ee46e95/fdupes.c
https://github.com/adrianlopezroche/fdupes/commit/85680897148f1ac33b55418e00334116e419717f
https://github.com/adrianlopezroche/fdupes/compare/v2.1.2...v2.2.0

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-48682
CWE	https://cwe.mitre.org/data/definitions/367.html

Time-of-check Time-of-use (TOCTOU) Race Condition

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References