CVE-2020-11736 — Path Traversal in File-roller
Severity
3.9LOWNVD
EPSS
0.3%
top 43.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 13
Latest updateMay 24
Description
fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:LExploitability: 1.3 | Impact: 2.5
Affected Packages2 packages
Also affects: Debian Linux 8.0, Fedora 34, Ubuntu Linux 16.04, 18.04, 19.10, 20.04
Patches
🔴Vulnerability Details
6📋Vendor Advisories
6Red Hat▶
file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736)↗2021-02-15
Red Hat▶
file-roller: directory traversal via directory symlink pointing outside of the target directory↗2020-04-12
Debian▶
CVE-2020-36314: file-roller - fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Sh...↗2020
💬Community
2Bugzilla▶
CVE-2020-11736 file-roller: directory traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location [fedora-al↗2020-04-16
Bugzilla▶
CVE-2020-11736 file-roller: directory traversal via directory symlink pointing outside of the target directory↗2020-04-16