CVE-2021-28650
Publication date 17 March 2021
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.
Status
Package | Ubuntu Release | Status |
---|---|---|
gnome-autoar | ||
20.04 LTS focal |
Fixed 0.2.3-2ubuntu0.3
|
|
18.04 LTS bionic |
Fixed 0.2.3-1ubuntu0.3
|
|
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release |
Patch details
Package | Patch details |
---|---|
gnome-autoar |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 · Medium |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4937-1
- GNOME Autoar vulnerability
- 6 May 2021