32 matches found
SUSE-SU-2024:2463-1 Security update for squashfs
This update for squashfs fixes the following issues: - CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs-tools bsc935380 - CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination bsc1189936 - CVE-2021-41072: Fixed an issu...
SUSE: Security Advisory (SUSE-SU-2023:4591-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
SUSE CVE-2022-48579
UnRAR before 6.2.3 allows extraction of files outside of the destination folder via symlink chains...
AZL-34592 CVE-2022-48579 affecting package clamav for versions less than 0.105.2-4
UnRAR before 6.2.3 allows extraction of files outside of the destination folder via symlink chains...
CVE-2022-48579
UnRAR before 6.2.3 allows extraction of files outside of the destination folder via symlink chains...
SUSE CVE-2020-1737
A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the winunzip module as the extracted files are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive...
gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory
autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location...
AZL-7463 CVE-2021-40153 affecting package squashfs-tools for versions less than 4.5.1-1
squashfsopendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations...
ALPINE-CVE-2021-40153
squashfsopendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations...
CVE-2019-11251 kubectl cp allows symlink directory traversal
The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be...
PT-2019-5665 · Kubernetes +1 · Kubernetes +1
Name of the Vulnerable Software and Affected Versions: Kubernetes versions 1.1 through 1.12 Kubernetes versions prior to 1.13.11 Kubernetes versions prior to 1.14.7 Kubernetes versions prior to 1.15.4 Description: The issue is related to the Kubernetes kubectl cp command, which allows an attacker...
PT-2019-6092 · Unknown +9 · Squashfs-Tools +9
Name of the Vulnerable Software and Affected Versions: Squashfs-Tools version 4.5 Description: The issue is related to the squashfs opendir function in the unsquash-1.c component of Squashfs-Tools. This function stores the filename in the directory entry, which is then used by unsquashfs to creat...