Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2026-23949

Опубликовано: 20 янв. 2026
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS3: 8.6

Описание

jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the jaraco.context.tarball() function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first / and extracts the second component, while allowing ../ sequences. Paths like dummy_dir/../../etc/passwd become ../../etc/passwd. Note that this suffers from a nested tarball attack as well with multi-level tar files such as dummy_dir/inner.tar.gz, where the inner.tar.gz includes a traversal dummy_dir/../../config/.env that also gets translated to ../../config/.env. Version 6.1.0 contains a patch for the issue.

РелизСтатусПримечание
devel

released

6.0.1-2
jammy

DNE

noble

not-affected

code not present
questing

released

6.0.1-1ubuntu0.1
upstream

released

6.1.0

Показывать по

Ссылки на источники

EPSS

Процентиль: 18%
0.00056
Низкий

8.6 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-23949

CVSS3: 8.6
nvd
18 дней назад

jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue.

debian логотип

CVE-2026-23949

CVSS3: 8.6
debian
18 дней назад

jaraco.context, an open-source software package that provides some use ...

suse-cvrf логотип

openSUSE-SU-2026:20095-1

suse-cvrf
15 дней назад

Security update for python-jaraco.context

github логотип

GHSA-58pv-8j8x-9vj2

CVSS3: 8.6
github
24 дня назад

jaraco.context Has a Path Traversal Vulnerability

EPSS

Процентиль: 18%
0.00056
Низкий

8.6 High

CVSS3