CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
AI Score
Confidence
High
EPSS
Percentile
94.8%
Directory traversal vulnerability in the (1) extract and (2) extractall
functions in the tarfile module in Python allows user-assisted remote
attackers to overwrite arbitrary files via a … (dot dot) sequence in
filenames in a TAR archive, a related issue to CVE-2001-1267.
Author | Note |
---|---|
mdeslaur | Upstream python eventually decided to fix this by adding an additional option to the affected functions to specify adding a filter. See PEP 706. While this does not change the default behaviour, applications modified to use the filter can now safely extract untrusted tar files. Due to the default not changing, we will not be fixing this issue in older Python releases, marking as ignored. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | python3.10 | < 3.10.12-1~22.04.2 | UNKNOWN |
ubuntu | 23.04 | noarch | python3.11 | < 3.11.4-1~23.04 | UNKNOWN |