CVE-2015-2060 — Path Traversal in Project Cabextract

CWE-22 — Path Traversal6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

8.7%

top 7.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cabextract Project Cabextract

Timeline

PublishedNov 29

Latest updateMay 24

Description

cabextract before 1.6 does not properly check for leading slashes when extracting files, which allows remote attackers to conduct absolute directory traversal attacks via a malformed UTF-8 character that is changed to a UTF-8 encoded slash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDcabextract_project/cabextract< 1.6

▶Debiancabextract_project/cabextract< 1.6-1+3

Patches

Patch: lists.fedoraproject.org ↗Patch: lists.fedoraproject.org ↗Patch: lists.fedoraproject.org ↗

🔴Vulnerability Details

GHSA

GHSA-frjv-h9wg-233r: cabextract before 1↗2022-05-24

▶

CVEList

CVE-2015-2060: cabextract before 1↗2019-11-29

▶

OSV

CVE-2015-2060: cabextract before 1↗2019-11-29

▶

📋Vendor Advisories

Debian

CVE-2015-2060: cabextract - cabextract before 1.6 does not properly check for leading slashes when extractin...↗2015

▶

💬Community

Bugzilla

CVE-2015-2060 cabextract: directory traversal with UTF-8 symbols in filenames↗2015-02-18

▶