CVE-2020-36314

Published on: 04/07/2021 12:00:00 AM UTC

Last Modified on: 04/13/2021 06:34:00 PM UTC

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Certain versions of File-roller from Gnome contain the following vulnerability:

fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.

  • CVE-2020-36314 has been assigned by [email protected] to track the vulnerability - currently rated as LOW severity.

CVSS3 Score: 3.9 - LOW

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW LOW REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE LOW LOW

CVSS2 Score: 2.6 - LOW

Access
Vector
Access
Complexity
Authentication
LOCAL HIGH NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL PARTIAL

CVE References

Description Tags Link
CVE-2020-36314: GNOME Archive Manager Traversal Attack (#108) · Issues · GNOME / File Roller · GitLab gitlab.gnome.org
text/html
URL Logo MISC gitlab.gnome.org/GNOME/file-roller/-/issues/108
libarchive: Skip files with symlinks in parents (e970f496) · Commits · GNOME / File Roller · GitLab gitlab.gnome.org
text/html
URL Logo MISC gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationGnomeFile-rollerAllAllAllAll
  • cpe:2.3:a:gnome:file-roller:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2020-36314 : fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other soft… twitter.com/i/web/status/1… 2021-04-07 11:59:03
Twitter Icon @LinInfoSec Gnome - CVE-2020-36314: gitlab.gnome.org/GNOME/file-rol… 2021-04-07 16:14:34
Twitter Icon @0_exploit CVE-2020-36314 dlvr.it/RxBP1d 2021-04-07 16:23:03