Amazon Linux 2023 : perl-Archive-Tar, perl-Archive-Tar-tests (ALAS2023-2026-1805)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1805 advisory. Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. makespecialfile passes the tar header's linkname to symlink witho...

CVE-2026-42574

The CVE-2026-42574 issue affects apko dirFS used to build/publish OCI images. A crafted APK could place a TypeSymlink tar entry whose target points outside the build root, enabling traversal to host paths via subsequent directory creation or write operations within the same or later archive. Root...

SUSE SLES12 Security Update : busybox (SUSE-SU-2026:0892-1)

The remote SUSE Linux SLES12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0892-1 advisory. - CVE-2023-42363: use-after-free vulnerability in xasprintf function in xfuncsprintf.c bsc1217580. - CVE-2023-42364: use-after-free in the awk....

GHSA-J5GW-2VRG-8FGX astral-tokio-tar Vulnerable to PAX Header Desynchronization

Summary Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser...

EUVD-2025-0202

Malicious code in bioql PyPI...

Conda-build 路径遍历漏洞

Conda-build is a Conda open source command and tool for building conda packages. A path traversal vulnerability exists in versions of Conda-build prior to 25.4.0 that stems from improper path cleanup of tar entries, which could lead to a path traversal attack...

PT-2025-9134 · Pwndoc · Pwndoc

Name of the Vulnerable Software and Affected Versions: PwnDoc versions prior to 1.2.0 Description: The issue concerns the backup restore functionality, which is vulnerable to path traversal in the TAR entry's name. This allows an attacker to overwrite any file on the system with their content,...

SUSE CVE-2025-0377

HashiCorp's go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry...

HashiCorp go-slug Vulnerable to Zip Slip Attack

Summary HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3. Background HashiCorp’s go-slug shared library offers functions for...

CVE-2025-0377

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry...

SUSE CVE-2015-4021

The pharparsetarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service integer underflow and memory...

CVE-2022-26612

CVE-2022-26612 affects Apache Hadoop. The vulnerability arises during TAR extraction: Hadoop’s unTar uses unTarUsingJava on Windows and the built-in tar utility on other OSes, allowing a TAR entry to create a symlink pointing outside the extraction directory. A following TAR entry can write arbit...

DEBIAN-CVE-2016-10173

Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. dot dot in a TAR archive entry...

EUVD-2015-7702

The phargetentrydata function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that do...

UBUNTU-CVE-2015-7803

The phargetentrydata function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that do...