CVE-2020-36314

Published on: 04/07/2021 12:00:00 AM UTC

Last Modified on: 04/13/2021 06:34:00 PM UTC

CVE-2020-36314

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Certain versions of File-roller from Gnome contain the following vulnerability:

fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.

CVE-2020-36314 has been assigned by [email protected] to track the vulnerability - currently rated as LOW severity.

CVSS3 Score: 3.9 - LOW

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
LOCAL	LOW	LOW	REQUIRED
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	NONE	LOW	LOW

CVSS2 Score: 2.6 - LOW

Access Vector^ⓘ	Access Complexity	Authentication
LOCAL	HIGH	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
NONE	PARTIAL	PARTIAL

CVE References

Description	Tags ^ⓘ	Link
CVE-2020-36314: GNOME Archive Manager Traversal Attack (#108) · Issues · GNOME / File Roller · GitLab	gitlab.gnome.org text/html	MISC gitlab.gnome.org/GNOME/file-roller/-/issues/108
libarchive: Skip files with symlinks in parents (e970f496) · Commits · GNOME / File Roller · GitLab	gitlab.gnome.org text/html	MISC gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Gnome	File-roller	All	All	All	All

cpe:2.3:a:gnome:file-roller:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@CVEreport	CVE-2020-36314 : fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other soft… twitter.com/i/web/status/1…	2021-04-07 11:59:03
@LinInfoSec	Gnome - CVE-2020-36314: gitlab.gnome.org/GNOME/file-rol…	2021-04-07 16:14:34
@0_exploit	CVE-2020-36314 dlvr.it/RxBP1d	2021-04-07 16:23:03