CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

PT-2026-34524

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

Arbitrary File Overwrite & RCE via Tarfile Path Traversal

Description The DJL package utilizes an untar function, for example, when downloading and saving models. Additionally, the untar function overwrites existing files. Therefore, the untar method includes the following two security measures to prevent misuse of its functionality. 1. Security measure...

SUSE CVE-2019-1002101

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could r...

Path Traversal

org.openrefine is vulnerable to Path Traversal. The vulnerability exists because the OpenRefine project tar files are not properly escaping their root directory in the untar function of FileProjectManager.java, which allows an attacker to access files outside the expected directory using relative...

Apache Hadoop 操作系统命令注入漏洞

Apache Hadoop is an open source distributed system infrastructure from the Apache Foundation. The product is capable of distributed processing of large amounts of data and is highly reliable, scalable, and fault-tolerant. Apache Hadoop has a security vulnerability that stems from its...

CVE-2022-26612

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an...

CVE-2022-26612

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an...

Xxe

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an...

CVE-2022-26612

CVE-2022-26612 affects Apache Hadoop. The vulnerability arises during TAR extraction: Hadoop’s unTar uses unTarUsingJava on Windows and the built-in tar utility on other OSes, allowing a TAR entry to create a symlink pointing outside the extraction directory. A following TAR entry can write arbit...

PT-2022-2441 · Apache · Apache Hadoop

Name of the Vulnerable Software and Affected Versions: Apache Hadoop versions prior to 3.2.3 Description: The issue is related to the unTar function in Apache Hadoop, which uses the unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. This can lead to a TAR entr...

Symlink Attack in kubectl cp

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could r...

CVE-2019-1002101

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could r...

Path traversal

Absolute path traversal vulnerability in the untarblock function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme...

CVE-2014-3697

Absolute path traversal vulnerability in the untarblock function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme...

CVE-2014-3697

The CVE-2014-3697 issue affects Pidgin for Windows, where the untar_block function in win32/untar.c allows absolute path traversal via a tar archive’s drive name in a smiley theme. This enables remote attackers to write files to arbitrary locations on the victim system. Public references indicate...