CVE-2016-6321
CVE-2016-6321
Vexday Risk Score
26Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 7.5EPSS 15.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
09 dez 2016Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Produtos afetados
n/a · n/aQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165dhttp://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.htmlhttp://packetstormsecurity.com/files/139370/GNU-tar-1.29-Extract-Pathname-Bypass.htmlhttp://seclists.org/fulldisclosure/2016/Oct/102http://seclists.org/fulldisclosure/2016/Oct/96https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://security.gentoo.org/glsa/201611-19https://sintonen.fi/advisories/tar-extract-pathname-bypass.proper.txthttp://www.debian.org/security/2016/dsa-3702http://www.securityfocus.com/bid/93937http://www.ubuntu.com/usn/USN-3132-1