CVE-2020-11736

LOW

GNOME file-roller < 3.36.1 - Directory Traversal via Symlink Parent Check Bypass

Title source: llm

Description

fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

References (5)

Core 5

Core References

Patch, Third Party Advisory x_refsource_misc

https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/04/msg00013.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4332-1/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4332-2/

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202009-06

Scores

CVSS v3 3.9

EPSS 0.0034

EPSS Percentile 56.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Details

CWE

CWE-22 CWE-59

Status published

Products (6)

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.10

canonical/ubuntu_linux 20.04

debian/debian_linux 8.0

gnome/file-roller < 3.36.1

Published Apr 13, 2020

Tracked Since Feb 18, 2026