CVE-2021-28650

EUVD-2021-15319
autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
Affected Products (NVD)
VendorProductVersion
gnomegnome-autoar
𝑥
< 0.3.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnome-autoar
bookworm
0.4.3-1
fixed
bullseye
no-dsa
buster
not-affected
sid
0.4.5-1
fixed
stretch
not-affected
trixie
0.4.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnome-autoar
bionic
Fixed 0.2.3-1ubuntu0.3
released
focal
Fixed 0.2.3-2ubuntu0.3
released
groovy
Fixed 0.2.4-2ubuntu0.3
released
hirsute
not-affected
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/
https://security.gentoo.org/glsa/202105-10
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/
https://security.gentoo.org/glsa/202105-10