CVE-2021-28650
MEDIUMgnome-autoar < 0.3.1 - Directory Traversal via Symlink Handling
Title source: llmDescription
autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202105-10
Scores
CVSS v3
5.5
EPSS
0.0018
EPSS Percentile
38.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-59
Status
published
Products (2)
fedoraproject/fedora
34
gnome/gnome-autoar
< 0.3.1
Published
Mar 17, 2021
Tracked Since
Feb 18, 2026