CVE-2016-6321

Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/139370/GNU-tar-1.29-Extract-Pathname-Bypass.html	Exploit Third Party Advisory VDB Entry
https://sintonen.fi/advisories/tar-extract-pathname-bypass.proper.txt	Third Party Advisory
http://www.securityfocus.com/bid/93937	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2016/Oct/96	Mailing List Third Party Advisory
http://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html	Mailing List Vendor Advisory
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d	Issue Tracking Patch
http://seclists.org/fulldisclosure/2016/Oct/102	Mailing List Patch Third Party Advisory
http://www.ubuntu.com/usn/USN-3132-1
http://www.debian.org/security/2016/dsa-3702
https://security.gentoo.org/glsa/201611-19
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gnu:tar:1.26:::::::*
	cpe:2.3:a:gnu:tar:1.27.1:::::::*
	cpe:2.3:a:gnu:tar:1.23:::::::*
	cpe:2.3:a:gnu:tar:1.29:::::::*
	cpe:2.3:a:gnu:tar:1.25:::::::*
	cpe:2.3:a:gnu:tar:1.22:::::::*
	cpe:2.3:a:gnu:tar:1.18:::::::*
	cpe:2.3:a:gnu:tar:1.19:::::::*
	cpe:2.3:a:gnu:tar:1.20:::::::*
	cpe:2.3:a:gnu:tar:1.17:::::::*
	cpe:2.3:a:gnu:tar:1.27:::::::*
	cpe:2.3:a:gnu:tar:1.15.90:::::::*
	cpe:2.3:a:gnu:tar:1.16:::::::*
	cpe:2.3:a:gnu:tar:1.28:::::::*
	cpe:2.3:a:gnu:tar:1.14:::::::*
	cpe:2.3:a:gnu:tar:1.24:::::::*
	cpe:2.3:a:gnu:tar:1.15.91:::::::*
	cpe:2.3:a:gnu:tar:1.15:::::::*
	cpe:2.3:a:gnu:tar:1.15.1:::::::*
	cpe:2.3:a:gnu:tar:1.21:::::::*
	cpe:2.3:a:gnu:tar:1.16.1:::::::*

Information

Published : 2016-12-09 14:59

Updated : 2023-02-12 20:50

NVD link : CVE-2016-6321

Mitre link : CVE-2016-6321

JSON object : View

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Products Affected

gnu

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://packetstormsecurity.com/files/139370/GNU-tar-1.29-Extract-Pathname-Bypass.html", "name": "http://packetstormsecurity.com/files/139370/GNU-tar-1.29-Extract-Pathname-Bypass.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "https://sintonen.fi/advisories/tar-extract-pathname-bypass.proper.txt", "name": "https://sintonen.fi/advisories/tar-extract-pathname-bypass.proper.txt", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/93937", "name": "93937", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://seclists.org/fulldisclosure/2016/Oct/96", "name": "20161026 [CSS] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321)", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html", "name": "[bug-tar] 20161029 Re: [Bug-tar] possible fixes for CVE-2016-6321", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d", "name": "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d", "tags": ["Issue Tracking", "Patch"], "refsource": "CONFIRM"}, {"url": "http://seclists.org/fulldisclosure/2016/Oct/102", "name": "20161030 [CSS] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321) - patch update", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://www.ubuntu.com/usn/USN-3132-1", "name": "USN-3132-1", "tags": [], "refsource": "UBUNTU"}, {"url": "http://www.debian.org/security/2016/dsa-3702", "name": "DSA-3702", "tags": [], "refsource": "DEBIAN"}, {"url": "https://security.gentoo.org/glsa/201611-19", "name": "GLSA-201611-19", "tags": [], "refsource": "GENTOO"}, {"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", "name": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", "tags": [], "refsource": "MISC"}, {"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", "name": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", "tags": [], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-22"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2016-6321", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2016-12-09T22:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gnu:tar:1.26:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.27.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.23:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.29:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.25:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.22:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.18:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.19:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.20:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.17:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.27:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.15.90:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.16:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.28:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.14:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.24:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.15.91:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.15:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.15.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.21:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:tar:1.16.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-13T04:50Z"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2016-6321

7.5^/10

5.0^/10

Attach tags to `CVE-2016-6321`