{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-20T13:06:18", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/KDE/ark/commits/master"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.debian.org/security/2020/dsa-4738"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kde.org/info/security/advisory-20200730-1.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f"}, {"name": "GLSA-202008-03", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202008-03"}, {"name": "FEDORA-2020-cac5ae9b6e", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYRKQKUVU45ANH5TFYCYZN6HVP34N3UL/"}, {"name": "openSUSE-SU-2020:1183", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00023.html"}, {"name": "FEDORA-2020-e2fe8f0165", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMVXSQNCBILVSJLX32ODNU6KUY2X7HRM/"}, {"name": "USN-4461-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4461-1/"}, {"name": "[debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-16116", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/KDE/ark/commits/master", "refsource": "MISC", "url": "https://github.com/KDE/ark/commits/master"}, {"name": "https://www.debian.org/security/2020/dsa-4738", "refsource": "CONFIRM", "url": "https://www.debian.org/security/2020/dsa-4738"}, {"name": "https://kde.org/info/security/advisory-20200730-1.txt", "refsource": "CONFIRM", "url": "https://kde.org/info/security/advisory-20200730-1.txt"}, {"name": "https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f", "refsource": "CONFIRM", "url": "https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f"}, {"name": "GLSA-202008-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202008-03"}, {"name": "FEDORA-2020-cac5ae9b6e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYRKQKUVU45ANH5TFYCYZN6HVP34N3UL/"}, {"name": "openSUSE-SU-2020:1183", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00023.html"}, {"name": "FEDORA-2020-e2fe8f0165", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PMVXSQNCBILVSJLX32ODNU6KUY2X7HRM/"}, {"name": "USN-4461-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4461-1/"}, {"name": "[debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:37:53.926Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/KDE/ark/commits/master"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4738"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kde.org/info/security/advisory-20200730-1.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f"}, {"name": "GLSA-202008-03", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202008-03"}, {"name": "FEDORA-2020-cac5ae9b6e", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYRKQKUVU45ANH5TFYCYZN6HVP34N3UL/"}, {"name": "openSUSE-SU-2020:1183", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00023.html"}, {"name": "FEDORA-2020-e2fe8f0165", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMVXSQNCBILVSJLX32ODNU6KUY2X7HRM/"}, {"name": "USN-4461-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4461-1/"}, {"name": "[debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-16116", "datePublished": "2020-08-03T19:34:07", "dateReserved": "2020-07-28T00:00:00", "dateUpdated": "2024-08-04T13:37:53.926Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kde:ark:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F8EEAC8-2EB4-4385-AED4-65837A20A547", "versionEndExcluding": "20.08.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal."}, {"lang": "es", "value": "En el archivo kerfuffle/jobs.cpp en KDE Ark versiones anteriores a 20.08.0, un archivo dise\u00f1ado puede instalar archivos fuera del directorio de extracci\u00f3n por medio de un salto de directorio de ../"}], "id": "CVE-2020-16116", "lastModified": "2023-11-07T03:18:11.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-03T20:15:13.980", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00023.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/KDE/ark/commits/master"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://kde.org/info/security/advisory-20200730-1.txt"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMVXSQNCBILVSJLX32ODNU6KUY2X7HRM/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYRKQKUVU45ANH5TFYCYZN6HVP34N3UL/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202008-03"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://usn.ubuntu.com/4461-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4738"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ark: maliciously crafted archive can install files anywhere in the user's home directory", "id": "1862464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1862464"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-552", "details": ["In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal."], "name": "CVE-2020-16116", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ark", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2020-07-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-16116\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16116\nhttps://bugs.gentoo.org/734622"], "statement": "ark as shipped with Red Hat Enterprise Linux 7 prompts the user before allowing extraction into home directory, and also displays an error. Because the user must agree to perform the extraction in the home directory, Red Hat Product Security does not view this as a security vulnerability in ark as shipped with Red Hat Enterprise Linux 7.", "threat_severity": "Low", "upstream_fix": "ark 20.04.3-3"}