CVE-2020-36241
MEDIUMgnome-autoar < 0.2.4 - Directory Traversal via Symlink Parent Check Bypass
Title source: llmDescription
autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.
References (4)
Core 4
Core References
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
Patch, Vendor Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202105-10
Scores
CVSS v3
5.5
EPSS
0.0018
EPSS Percentile
38.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
CWE-59
Status
published
Products (2)
fedoraproject/fedora
34
gnome/gnome-autoar
< 0.2.4
Published
Feb 05, 2021
Tracked Since
Feb 18, 2026