A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
1.8
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| github.com/mholt/archiver/v3 | golang | - | - | >=3.0.0,<=3.5.1 | Not yet available |
| github.com/mholt/archiver | golang | - | - | >=3.0.0,<=3.5.1 | Not yet available |
| github.com/mholt/archiver | golang | - | - | >=0.0.0-20181107210236-edeadbb1a388,<=0.0.0-20211030171243-cc194d2e4af2 | 0.0.0-20211030171243-cc194d2e4af2 |
| github.com/mholt/archiver/v3 | golang | - | - | >=0.0.0-20181107210236-edeadbb1a388,<=0.0.0-20211030171243-cc194d2e4af2 | 0.0.0-20211030171243-cc194d2e4af2 |
CVSS:3 Severity and metrics
The CVSS metrics represent various qualitative aspects of a vulnerability that influence the overall score above.
Attack Vector (AV)
Local
The vulnerable component is not bound to the network stack and the attacker's path is via read/write/execute capabilities. Either: The attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity (AC)
Low
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
Privileges Required (PR)
None
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction (UI)
Required
Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.
Scope (S)
Unchanged
An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Confidentiality (C)
Low
There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
Integrity (I)
High
There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any or all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.
Availability (A)
None
There is no impact to availability within the impacted component.
1.8
-
1.8
CGA-55pr-9882-vgv5
-
CGA-5rc5-xj4h-cjrv
-
CGA-6p96-qff9-wmqm
-
CGA-f9fw-4v87-xm62
-
CGA-hrv2-593j-5xx2
-
CGA-m5hf-w83m-p7mx
-
CGA-mqjp-fwh2-h735
-
CGA-rh9h-g56c-vxq8
-
CGA-w4pj-7pv6-3fg6
-
CGA-76gw-vx4w-rpmm
-