CVE-2020-11736

fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

Published: Apr 13, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-11736
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.9
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CVSS v2:

Severity: Low
Score: 3.3
AV:L/AC:M/Au:N/C:N/I:P/A:P

CWEs:

CWE-22
CWE-59

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
gnome / file-roller	-	3.36.1.x
debian / debian_linux	8.0	8.0.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.10	19.10.x
canonical / ubuntu_linux	20.04	20.04.x
canonical / ubuntu_linux	16.04	16.04.x

https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0
https://lists.debian.org/debian-lts-announce/2020/04/msg00013.html
https://security.gentoo.org/glsa/202009-06
https://usn.ubuntu.com/4332-1/
https://usn.ubuntu.com/4332-2/

Vulnerability Database

290,278

CVE-2020-11736