Engrampa Archive Manager Vulnerable to Path Traversal Attack
CVE-2023-52138

8.2HIGH

Key Information:

Vendor

Mate-desktop

Status
Engrampa
Vendor
CVE Published:
5 February 2024

What is CVE-2023-52138?

Engrampa, the archive manager for MATE, has a vulnerability that allows for Path Traversal through improperly handled symlink extraction during the processing of CPIO archives. This flaw can lead to arbitrary file writes, potentially enabling remote attackers to execute arbitrary commands on the target system. When a user extracts a maliciously crafted CPIO or ISO archive, the Engrampa Archive Manager does not adequately verify the symlink path, creating an avenue for exploitation. This vulnerability was addressed in commit 63d5dfa and underscores the importance of securing archive management tools against such exploits.

Affected Version(s)

engrampa < commit 63d5dfa

References

https://github.com/mate-desktop/engrampa/security/advisor...
x_refsource_CONFIRM
https://github.com/mate-desktop/engrampa/commit/63d5dfa90...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.