Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-16680

Опубликовано: 14 мар. 2018
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

A path traversal vulnerability was discovered in the file-roller (Archive Manager for GNOME) in the way file paths with special characters are sanitized. Archives containing the sequence of characters "../" in a file path may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted archive with a file inside one or more sub-directories. When opened by a victim, the file-roller would extract the file in the current working directory instead of a sub-directory, as it may be expected by inspecting the archive.

Меры по смягчению последствий

Avoid using file-roller (Archive Manager for GNOME) to extract untrusted archives, use the suitable command line utilities instead (such as tar or unzip).

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5file-rollerOut of support scope
Red Hat Enterprise Linux 6file-rollerOut of support scope
Red Hat Enterprise Linux 7file-rollerWill not fix
Red Hat Enterprise Linux 8file-rollerFixedRHSA-2020:482004.11.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=1767594file-roller: path traversal vulnerability via a specially crafted filename contained in malicious archive

EPSS

Процентиль: 82%
0.01789
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-16680

CVSS3: 4.3
ubuntu
около 6 лет назад

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

nvd логотип

CVE-2019-16680

CVSS3: 4.3
nvd
около 6 лет назад

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

debian логотип

CVE-2019-16680

CVSS3: 4.3
debian
около 6 лет назад

An issue was discovered in GNOME file-roller before 3.29.91. It allows ...

suse-cvrf логотип

SUSE-SU-2020:1088-1

suse-cvrf
больше 5 лет назад

Security update for file-roller

github логотип

GHSA-63pg-53ch-332g

CVSS3: 4.3
github
больше 3 лет назад

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

EPSS

Процентиль: 82%
0.01789
Низкий

4.3 Medium

CVSS3