CVE-2013-4420 — Path Traversal in Libtar

CWE-22 — Path Traversal9 documents7 sources

Severity

5.8MEDIUMNVD

EPSS

0.4%

top 40.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Feep Libtar Debian Libtar Msrc CBL Mariner 1.0 ARM +19 more

Timeline

PublishedFeb 20

Latest updateJun 11

Description

Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages23 packages

▶debiandebian/libtar< libtar 1.2.20-2 (bookworm)

▶Debianfeep/libtar< 1.2.20-2+1

▶NVDfeep/libtar1.2.20+8

▶msrcmsrc/libtar-1.2.20-8.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64

▶msrcmsrc/libtar-1.2.20-8.cm2.x86_64.rpm_on_cbl_mariner_2.0_x64

🔴Vulnerability Details

GHSA

GHSA-35h8-7h6c-x54q: Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1↗2022-05-17

▶

OSV

CVE-2013-4420: Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1↗2014-02-20

▶

📋Vendor Advisories

Microsoft

CVE-2013-4420: Mariner: Mariner secalert@redhat↗2024-06-11

▶

Red Hat

libtar: missing validation of file names↗2013-10-01

▶

Debian

CVE-2013-4420: libtar - Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2)...↗2013

▶

💬Community

Bugzilla

CVE-2013-4420 libtar: missing validation of file names↗2013-10-11

▶

Bugzilla

CVE-2013-4420 libtar: missing validation of file names [fedora-all]↗2013-10-11

▶

Bugzilla

CVE-2013-4420 libtar: missing validation of file names [epel-5]↗2013-10-11

▶