{"url":"http://public2.vulnerablecode.io/api/packages/105727?format=json","purl":"pkg:deb/debian/timeshift@22.11.2-1%2Bdeb12u1?distro=trixie","type":"deb","namespace":"debian","name":"timeshift","version":"22.11.2-1+deb12u1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"20.03+ds-1","latest_non_vulnerable_version":"25.12.4-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207582?format=json","vulnerability_id":"VCID-271k-q7z5-2ydq","summary":"init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-10174","reference_id":"","reference_type":"","scores":[{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31141","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-10174"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10174","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10174"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953385","reference_id":"953385","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953385"},{"reference_url":"https://usn.ubuntu.com/4312-1/","reference_id":"USN-4312-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4312-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/105728?format=json","purl":"pkg:deb/debian/timeshift@20.03%2Bds-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/timeshift@20.03%252Bds-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/105729?format=json","purl":"pkg:deb/debian/timeshift@20.11.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/timeshift@20.11.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/105727?format=json","purl":"pkg:deb/debian/timeshift@22.11.2-1%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/timeshift@22.11.2-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/105731?format=json","purl":"pkg:deb/debian/timeshift@24.06.6-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/timeshift@24.06.6-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/105730?format=json","purl":"pkg:deb/debian/timeshift@25.12.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/timeshift@25.12.4-1%3Fdistro=trixie"}],"aliases":["CVE-2020-10174"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-271k-q7z5-2ydq"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/timeshift@22.11.2-1%252Bdeb12u1%3Fdistro=trixie"}