CVE-2020-24654

EPSS 0.84%
Published 02.09.2020 17:15:12
Last modified 21.11.2024 05:15:23
Source cve@mitre.org
Teams watchlist Login
Open Login

In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.

Affected products Warnungen 0 Metrics 3 CWE 1 References 14

Data is provided by the National Vulnerability Database (NVD)

Kde ≫ Ark Version < 20.08.1

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version20.04 SwEditionlts

Debian ≫ Debian Linux Version10.0

Fedoraproject ≫ Fedora Version32

Opensuse ≫ Leap Version15.1

Opensuse ≫ Leap Version15.2

Debian ≫ Debian Linux Version9.0

Fedoraproject ≫ Fedora Version33

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.84%	0.74

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	3.3	1.8	1.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html

Third Party Advisory

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00001.html

Third Party Advisory

Mailing List

https://bugzilla.suse.com/show_bug.cgi?id=1175857

Third Party Advisory

Issue Tracking

https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd

Patch

Third Party Advisory