CVE-2020-27637
CRITICALCRAN < 4.0.3 - Path Traversal via R CMD install or install.packages()
Title source: llmDescription
The R programming language’s default package manager CRAN is affected by a path traversal vulnerability that can lead to server compromise. This vulnerability affects packages installed via the R CMD install cli command or the install.packages() function from the interpreter. Update to version 4.0.3
References (3)
Core 3
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202401-07
Exploit, Third Party Advisory
https://labs.bishopfox.com/advisories/cran-version-4.0.2
Vendor Advisory
https://www.r-project.org/foundation/
Scores
CVSS v3
9.8
EPSS
0.0224
EPSS Percentile
80.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
r-project/cran
< 4.0.3
Published
Jan 12, 2021
Tracked Since
Feb 18, 2026