CVE-2022-1664

CWE-22 — Path Traversal8 documents7 sources

Severity

9.8CRITICAL

EPSS

0.5%

top 36.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Dpkg Debian Debian Linux

Timeline

PublishedMay 26

Latest updateMay 30

Description

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5debian/dpkg1.14.17 — 1.21.8

▶NVDdebian/dpkg1.14.17 — 1.18.26+3

▶Debiandpkg< 1.20.10+3

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: git.dpkg.org ↗Patch: git.dpkg.org ↗Patch: git.dpkg.org ↗

🔴Vulnerability Details

GHSA

GHSA-q7pv-fjh6-6xq6: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1↗2022-05-27

▶

OSV

CVE-2022-1664: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1↗2022-05-26

▶

CVEList

directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar↗2022-05-26

▶

📋Vendor Advisories

Ubuntu

dpkg vulnerability↗2022-05-30

▶

Ubuntu

dpkg vulnerability↗2022-05-26

▶

Microsoft

directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar↗2022-05-10

▶

Debian

CVE-2022-1664: dpkg - Dpkg::Source::Archive in dpkg, the Debian package management system, before vers...↗2022

▶