CVE-2020-16116

LOW

KDE Ark < 20.08.0 - Path Traversal

Title source: rule

Description

In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.

References (10)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00023.html

[Release Notes, Third Party Advisory] https://github.com/KDE/ark/commits/master

[Patch, Vendor Advisory] https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f

[Vendor Advisory] https://kde.org/info/security/advisory-20200730-1.txt

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html

[Third Party Advisory] https://security.gentoo.org/glsa/202008-03

[Patch, Third Party Advisory] https://usn.ubuntu.com/4461-1/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4738

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMVXSQNCBILVSJLX32ODNU6KUY2X7HRM/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYRKQKUVU45ANH5TFYCYZN6HVP34N3UL/

Scores

CVSS v3 3.3

EPSS 0.0086

EPSS Percentile 74.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-22

Status published

Affected Products (9)

kde/ark < 20.08.0

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

opensuse/leap

opensuse/leap

canonical/ubuntu_linux

canonical/ubuntu_linux

Timeline

Published Aug 03, 2020

Tracked Since Feb 18, 2026