CVE-2020-16116

Published: Aug 3, 2020Modified: Nov 21, 2024

3.3

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 1.8 / Impact: 1.4

Source: NVD

Description

In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.

Affected (9)

Products: Kde: Ark · Debian: Debian Linux · Fedoraproject: Fedora · +2 more

Show all products

Kde: Ark · Debian: Debian Linux · Fedoraproject: Fedora · Opensuse: Leap · Canonical: Ubuntu Linux

1 product

1 product

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kde Ark	Before 20.08.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 31
Fedoraproject Fedora	Version 32

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.1
Opensuse Leap	Version 15.2

Configuration E

2 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 20.04

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (20)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00023.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://github.com/KDE/ark/commits/master

Source: cve@mitre.org

Release NotesThird Party Advisory

https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f

Source: cve@mitre.org

PatchVendor Advisory

https://kde.org/info/security/advisory-20200730-1.txt

Source: cve@mitre.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMVXSQNCBILVSJLX32ODNU6KUY2X7HRM/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYRKQKUVU45ANH5TFYCYZN6HVP34N3UL/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202008-03

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/4461-1/

Source: cve@mitre.org

PatchThird Party Advisory

https://www.debian.org/security/2020/dsa-4738

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00023.html