Directory Traversal Vulnerability in GNOME Autoar Affecting Shell and Nautilus
CVE-2020-36241

5.5MEDIUM

Key Information:

Vendor

Gnome
Status
Gnome-autoar
Vendor
CVE Published:
5 February 2021

What is CVE-2020-36241?

The gnome-autoar tool, utilized in various GNOME applications including GNOME Shell and Nautilus, is susceptible to a Directory Traversal vulnerability. This flaw permits unauthorized extraction of files outside the intended directory due to insufficient validation of symlink parent directories. An attacker could potentially exploit this weakness during the extraction process, leading to the leakage of sensitive data or modification of files on the host system.

References

https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
x_refsource_MISC
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb0...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.