PT-2020-13083 · Unknown · Decompress

Stdunlap607

Published

2020-04-26

Updated

2026-06-05

CVE-2020-12265

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions decompress versions prior to 4.2.1

Description The issue allows for Arbitrary File Write via ../ in an archive member when a symlink is used, due to Directory Traversal. This occurs because the package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing ../.

Recommendations Upgrade to version 4.2.1 or later. As a temporary workaround, consider restricting the use of the decompress package until the issue is resolved. Avoid using the decompress package to extract archives that may contain symlinks or relative paths.

Exploit

Fix

Link Following

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-22

Related Identifiers

CVE-2020-12265

GHSA-QGFR-5HQP-VRW9

Affected Products

Decompress

PT-2020-13083 · Unknown · Decompress

CVE-2020-12265

Weakness Enumeration

Related Identifiers

Affected Products

References · 10