CVE-2016-10173
HIGHminitar < 0.6 and archive-tar-minitar < 0.5.2 - Path Traversal via TAR Archive Entry
Title source: llmDescription
Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry.
References (8)
Core 8
Core References
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/01/24/7
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201702-32
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/95874
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/halostatue/minitar/issues/16
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/01/29/1
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3778
Various Sources x_refsource_confirm
https://puppet.com/security/cve/cve-2016-10173
Patch, Third Party Advisory x_refsource_confirm
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4
Scores
CVSS v3
7.5
EPSS
0.0292
EPSS Percentile
86.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-22
Status
published
Products (4)
minitar/archive-tar-minitar
< 0.5.2
minitar/minitar
< 0.5.4
rubygems/archive-tar-minitar
0 - 0.5.2RubyGems
rubygems/minitar
0 - 0.6RubyGems
Published
Feb 01, 2017
Tracked Since
Feb 18, 2026