fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.
References
Link | Resource |
---|---|
https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae | Patch Vendor Advisory |
https://gitlab.gnome.org/GNOME/file-roller/-/issues/108 | Exploit Issue Tracking Vendor Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/ |
Configurations
History
07 Nov 2023, 03:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-59 | |
References |
|
|
03 Jun 2021, 19:09
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
24 Apr 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Apr 2021, 18:34
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-22 | |
References | (MISC) https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae - Patch, Vendor Advisory | |
References | (MISC) https://gitlab.gnome.org/GNOME/file-roller/-/issues/108 - Exploit, Issue Tracking, Vendor Advisory | |
CPE | cpe:2.3:a:gnome:file-roller:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 2.6
v3 : 3.9 |
07 Apr 2021, 12:19
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-04-07 12:15
Updated : 2023-12-10 13:55
NVD link : CVE-2020-36314
Mitre link : CVE-2020-36314
CVE.ORG link : CVE-2020-36314
JSON object : View
Products Affected
gnome
- file-roller
fedoraproject
- fedora
CWE
CWE-59
Improper Link Resolution Before File Access ('Link Following')