CVE-2020-24654

Published: Sep 2, 2020Modified: Nov 21, 2024

3.3

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 1.8 / Impact: 1.4

Source: NVD

Description

In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.

Affected (10)

Products: Kde: Ark · Canonical: Ubuntu Linux · Debian: Debian Linux · +2 more

Show all products

Kde: Ark · Canonical: Ubuntu Linux · Debian: Debian Linux · Fedoraproject: Fedora · Opensuse: Leap

1 product

1 product

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kde Ark	Before 20.08.1

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 20.04
Debian Debian Linux	Version 10.0
Fedoraproject Fedora	Version 32
Opensuse Leap	Version 15.1
Opensuse Leap	Version 15.2

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33

Related CWEs

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (22)

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00001.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://bugzilla.suse.com/show_bug.cgi?id=1175857

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd

Source: cve@mitre.org

PatchThird Party Advisory

https://kde.org/info/security/advisory-20200827-1.txt

Source: cve@mitre.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJOZ6YRNPZX5MJGVBMOCOA7N6Z4EU2OK/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202010-06

Source: cve@mitre.org

Third Party Advisory

https://security.gentoo.org/glsa/202101-06

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/4482-1/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2020/dsa-4759

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00001.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://bugzilla.suse.com/show_bug.cgi?id=1175857

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://kde.org/info/security/advisory-20200827-1.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJOZ6YRNPZX5MJGVBMOCOA7N6Z4EU2OK/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202010-06

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.gentoo.org/glsa/202101-06

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://usn.ubuntu.com/4482-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2020/dsa-4759

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.