2257749 – (CVE-2024-0406) CVE-2024-0406 mholt/archiver: path traversal vulnerability

Bug 2257749 (CVE-2024-0406) - CVE-2024-0406 mholt/archiver: path traversal vulnerability

Summary: CVE-2024-0406 mholt/archiver: path traversal vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2024-0406
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2257750
TreeView+	depends on / blocked

Reported:	2024-01-10 18:40 UTC by Robb Gatica
Modified:	2024-04-06 12:14 UTC (History)
CC List:	6 users (show)
Fixed In Version:	mholt 4
Doc Type:	---
Doc Text:	A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-01-10 18:40:35 UTC

Reference INC2833242:

-----
There's an issue in https://github.com/mholt/archiver/ (version 3). v4 is not affected, as it doesn't support this functionality.

It's a path traversal when unpacking a specially crafted tar archive. I've originally reported this in Syft, but the underlying issue is in this library.

Note You need to log in before you can comment on or make changes to this bug.