{ "id": "CVE-2020-36241", "sourceIdentifier": "cve@mitre.org", "published": "2021-02-05T14:15:17.387", "lastModified": "2022-04-08T14:22:23.907", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location." }, { "lang": "es", "value": "El archivo autoar-extractor.c en GNOME gnome-autoar versiones hasta 0.2.4, tal y como es usado por GNOME Shell, Nautilus y otro software, permite un Salto de Directorio durante la extracci\u00f3n porque presenta una falta de comprobaci\u00f3n de si el padre de un archivo es un enlace simb\u00f3lico para un directorio fuera del lugar de extracci\u00f3n previsto" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 1.8, "impactScore": 3.6 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1 }, "baseSeverity": "LOW", "exploitabilityScore": 3.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-22" }, { "lang": "en", "value": "CWE-59" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:gnome:gnome-autoar:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.2.4", "matchCriteriaId": "51BF6AE0-02D3-4C08-8A28-0A657A66BBA5" } ] } ] }, { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835" } ] } ] } ], "references": [ { "url": "https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429", "source": "cve@mitre.org", "tags": [ "Patch", "Vendor Advisory" ] }, { "url": "https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7", "source": "cve@mitre.org", "tags": [ "Exploit", "Issue Tracking", "Vendor Advisory" ] }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/", "source": "cve@mitre.org", "tags": [ "Mailing List", "Third Party Advisory" ] }, { "url": "https://security.gentoo.org/glsa/202105-10", "source": "cve@mitre.org", "tags": [ "Third Party Advisory" ] } ] }