CVE-2019-16680

Published: Sep 21, 2019Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

Affected (7)

Products: Gnome: File Roller · Canonical: Ubuntu Linux · Debian: Debian Linux · +1 more

Show all products

Gnome: File Roller · Canonical: Ubuntu Linux · Debian: Debian Linux · Redhat: Enterprise Linux

1 product

1 product

1 product

1 product

Enterprise Linux

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gnome File Roller	Before 3.29.91

Configuration B

6 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 8.0

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (15)

https://bugzilla.gnome.org/show_bug.cgi?id=794337

Source: cve@mitre.org

ExploitIssue TrackingVendor Advisory

https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2

Source: cve@mitre.org

PatchThird Party Advisory

https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/09/msg00032.html

Source: cve@mitre.org

Third Party Advisory

https://seclists.org/bugtraq/2019/Sep/57

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://usn.ubuntu.com/4139-1/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2019/dsa-4537

Source: cve@mitre.org

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1767594

Source: nvd@nist.gov

Third Party Advisory

https://bugzilla.gnome.org/show_bug.cgi?id=794337

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingVendor Advisory

https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/09/msg00032.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://seclists.org/bugtraq/2019/Sep/57

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://usn.ubuntu.com/4139-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2019/dsa-4537

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.