PT-2021-2227 · Gnome+8 · Gnome Autoar+8

Published

2021-02-05

Updated

2022-05-20

CVE-2020-36241

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions GNOME gnome-autoar versions up to 0.2.4

Description The issue is related to a function in the autoar-extractor.c file of the gnome-autoar library, which is used by GNOME Shell, Nautilus, and other software. It lacks a check to see if a file's parent is a symlink to a directory outside of the intended extraction location, allowing Directory Traversal during extraction. This could potentially allow an attacker to reveal protected information.

Recommendations For GNOME gnome-autoar versions up to 0.2.4, consider disabling the autoar-extractor.c function until a patch is available to prevent Directory Traversal attacks. Restrict access to sensitive directories to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Link Following

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-22

Related Identifiers

ALSA-2021:4381

ALT-PU-2021-1318

BDU:2021-01162

CESA-2021_4381

CVE-2020-36241

MGASA-2021-0111

OESA-2021-1108

OPENSUSE-SU-2021:0390-1

OPENSUSE-SU-2021_0390-1

OPENSUSE-SU-2024:10795-1

RHSA-2021:4381

RHSA-2021_4381

RLSA-2021:4381

SUSE-SU-2021:0664-1

SUSE-SU-2021:0687-1

SUSE-SU-2021_0687-1

USN-4733-1

USN-4733-2

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

Gnome Autoar

PT-2021-2227 · Gnome+8 · Gnome Autoar+8

CVE-2020-36241

Weakness Enumeration

Related Identifiers

Affected Products

References · 140