{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-20T13:06:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "openSUSE-SU-2020:1310", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00001.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1175857"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kde.org/info/security/advisory-20200827-1.txt"}, {"name": "DSA-4759", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4759"}, {"name": "FEDORA-2020-c2f8a1e8a5", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/"}, {"name": "USN-4482-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4482-1/"}, {"name": "FEDORA-2020-f04f41bcc9", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJOZ6YRNPZX5MJGVBMOCOA7N6Z4EU2OK/"}, {"name": "GLSA-202010-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202010-06"}, {"name": "GLSA-202101-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202101-06"}, {"name": "[debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24654", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2020:1310", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00001.html"}, {"name": "https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd", "refsource": "CONFIRM", "url": "https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd"}, {"name": "https://bugzilla.suse.com/show_bug.cgi?id=1175857", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1175857"}, {"name": "https://kde.org/info/security/advisory-20200827-1.txt", "refsource": "CONFIRM", "url": "https://kde.org/info/security/advisory-20200827-1.txt"}, {"name": "DSA-4759", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4759"}, {"name": "FEDORA-2020-c2f8a1e8a5", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/"}, {"name": "USN-4482-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4482-1/"}, {"name": "FEDORA-2020-f04f41bcc9", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJOZ6YRNPZX5MJGVBMOCOA7N6Z4EU2OK/"}, {"name": "GLSA-202010-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202010-06"}, {"name": "GLSA-202101-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-06"}, {"name": "[debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:08.343Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2020:1310", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00001.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1175857"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kde.org/info/security/advisory-20200827-1.txt"}, {"name": "DSA-4759", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4759"}, {"name": "FEDORA-2020-c2f8a1e8a5", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/"}, {"name": "USN-4482-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4482-1/"}, {"name": "FEDORA-2020-f04f41bcc9", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJOZ6YRNPZX5MJGVBMOCOA7N6Z4EU2OK/"}, {"name": "GLSA-202010-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202010-06"}, {"name": "GLSA-202101-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202101-06"}, {"name": "[debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24654", "datePublished": "2020-09-02T16:22:10", "dateReserved": "2020-08-26T00:00:00", "dateUpdated": "2024-08-04T15:19:08.343Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kde:ark:*:*:*:*:*:*:*:*", "matchCriteriaId": "785B922D-7B29-4839-9E69-208ABD25BB69", "versionEndExcluding": "20.08.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory."}, {"lang": "es", "value": "En KDE Ark versiones anteriores a 20.08.1, un archivo TAR dise\u00f1ado con enlaces simb\u00f3licos puede instalar archivos fuera del directorio de extracci\u00f3n, como es demostrado mediante una operaci\u00f3n de escritura en el directorio de inicio del usuario"}], "id": "CVE-2020-24654", "lastModified": "2023-11-07T03:20:09.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-02T17:15:12.327", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00001.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1175857"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://kde.org/info/security/advisory-20200827-1.txt"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJOZ6YRNPZX5MJGVBMOCOA7N6Z4EU2OK/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202010-06"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202101-06"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4482-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4759"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ark: crafted TAR archive with symlinks can install files outside the extraction directory", "id": "1880358", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1880358"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-59", "details": ["In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory."], "mitigation": {"lang": "en:us", "value": "The way to mitigate this flaw is to pay attention to the contents of the archive in ark before extracting, to ensure that there are no improper symlinks, and heed the file overwrite warnings."}, "name": "CVE-2020-24654", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "ark", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2020-08-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-24654\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-24654"], "threat_severity": "Low", "upstream_fix": "ark 20.08.1"}