CVE-2019-16680 — Path Traversal in File-roller

CWE-22 — Path Traversal7 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

1.8%

top 17.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome File-roller Debian File-roller Canonical Ubuntu Linux +2 more

Timeline

PublishedSep 21

Latest updateMay 24

Description

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDgnome/file-roller< 3.29.91

▶Debiangnome/file-roller< 3.30.0-1+3

▶debiandebian/file-roller< file-roller 3.30.0-1 (bookworm)

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 16.04, 18.04, Enterprise Linux 7.0, 8.0

Patches

Patch: gitlab.gnome.org ↗Patch: gitlab.gnome.org ↗Patch: gitlab.gnome.org ↗

🔴Vulnerability Details

GHSA

GHSA-63pg-53ch-332g: An issue was discovered in GNOME file-roller before 3↗2022-05-24

▶

OSV

CVE-2019-16680: An issue was discovered in GNOME file-roller before 3↗2019-09-21

▶

📋Vendor Advisories

Ubuntu

File Roller vulnerability↗2019-09-25

▶

Debian

CVE-2019-16680: file-roller - An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ...↗2019

▶

Red Hat

file-roller: path traversal vulnerability via a specially crafted filename contained in malicious archive↗2018-03-14

▶

💬Community

Bugzilla

CVE-2019-16680 file-roller: path traversal vulnerability via a specially crafted filename contained in malicious archive↗2019-10-31

▶