CVE-2020-36241

Опубликовано: 05 фев. 2021

Источник: nvd

CVSS3: 5.5

CVSS2: 2.1

EPSS Низкий

Описание

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

Ссылки

https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
Patch
Vendor Advisory
https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
Exploit
Issue Tracking
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/
https://security.gentoo.org/glsa/202105-10
Third Party Advisory
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
Patch
Vendor Advisory
https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
Exploit
Issue Tracking
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/
https://security.gentoo.org/glsa/202105-10
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:gnome:gnome-autoar:*:*:*:*:*:*:*:*

Версия до 0.2.4 (включая)

Конфигурация 2

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

EPSS

Процентиль: 40%

0.00175

Низкий

5.5 Medium

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-22

Связанные уязвимости

CVE-2020-36241

CVSS3: 5.5

ubuntu

больше 4 лет назад

CVE-2020-36241

CVSS3: 3.9

redhat

почти 5 лет назад

CVE-2020-36241

CVSS3: 5.5

debian

больше 4 лет назад

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNO ...

openSUSE-SU-2021:0390-1

suse-cvrf

больше 4 лет назад

Security update for gnome-autoar

SUSE-SU-2021:0687-1

suse-cvrf

больше 4 лет назад

Security update for gnome-autoar

EPSS

Процентиль: 40%

0.00175

Низкий

5.5 Medium

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-22