Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Ruby Archive::Tar::Minitar: Directory traversal
Informations
Name GLSA-201702-32 First vendor Publication 2017-02-22
Vendor Gentoo Last vendor Modification 2017-02-22
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Ruby Archive::Tar::Minitar is vulnerable to a directory traversal attack.

Background

Archive::Tar::Minitar is a pure-Ruby library and command-line utility that provides the ability to deal with POSIX tar(1) archive files.

Description

Michal Marek discovered that Ruby Archive::Tar::Minitar is vulnerable to a directory traversal vulnerability.

Impact

A remote attacker could entice a user or an automated system to process a specially crafted archive using Ruby Archive::Tar::Minitar possibly allowing the writing of arbitrary files with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Ruby Archive::Tar::Minitar users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-ruby/archive-tar-minitar-0.6.1"

References

[ 1 ] CVE-2016-10173 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10173

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/201702-32

Original Source

Url : http://security.gentoo.org/glsa/glsa-201702-32.xml

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

Nessus® Vulnerability Scanner

Date Description
2017-02-23 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201702-32.nasl - Type : ACT_GATHER_INFO
2017-02-10 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2017-231.nasl - Type : ACT_GATHER_INFO
2017-02-01 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3778.nasl - Type : ACT_GATHER_INFO
2017-01-31 Name : The remote Debian host is missing a security update.
File : debian_DLA-808.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2017-02-28 09:24:26
  • Multiple Updates
2017-02-24 13:22:23
  • Multiple Updates
2017-02-22 13:19:09
  • First insertion