CVE-2016-7162 — Improper Input Validation in File-roller

CWE-20 — Improper Input Validation CWE-22 — Path Traversal8 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.2%

top 21.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome File-roller Debian File-roller Canonical Ubuntu Linux +1 more

Timeline

PublishedSep 26

Latest updateMay 13

Description

The _g_file_remove_directory function in file-utils.c in File Roller 3.5.4 through 3.20.2 allows remote attackers to delete arbitrary files via a symlink attack on a folder in an archive.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/file-roller< file-roller 3.20.3-1 (bookworm)

▶Debiangnome/file-roller< 3.20.3-1+3

▶NVDfile_roller_project/file_roller20 versions+19

Also affects: Ubuntu Linux 14.04, 16.04

Patches

Patch: git.gnome.org ↗Patch: git.gnome.org ↗

🔴Vulnerability Details

GHSA

GHSA-g3mg-grgw-vqfv: The _g_file_remove_directory function in file-utils↗2022-05-13

▶

OSV

CVE-2016-7162: The _g_file_remove_directory function in file-utils↗2016-09-26

▶

📋Vendor Advisories

Ubuntu

File Roller vulnerability↗2016-09-08

▶

Red Hat

file-roller: Path traversal vulnerability when opening crafted archive↗2016-09-07

▶

Debian

CVE-2016-7162: file-roller - The _g_file_remove_directory function in file-utils.c in File Roller 3.5.4 throu...↗2016

▶

💬Community

Bugzilla

CVE-2016-7162 file-roller: Path traversal vulnerability when opening crafted archive [fedora-all]↗2016-09-08

▶

Bugzilla

CVE-2016-7162 file-roller: Path traversal vulnerability when opening crafted archive↗2016-09-08

▶