CVE-2016-10173 — HIGH (7.5)

Q: What is CVE-2016-10173?

CVE-2016-10173 is a vulnerability with a CVSS score of 7.5 (HIGH). Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry.

Q: How severe is CVE-2016-10173?

CVE-2016-10173 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-10173?

Check the references section above for vendor advisories and patch information. Affected products include: Minitar Archive-Tar-Minitar, Minitar Minitar.

Vulnerability Description

Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Minitar	Archive-Tar-Minitar	<= 0.5.2
Minitar	Minitar	<= 0.5.4

Related Weaknesses (CWE)

CWE-22

References

http://www.debian.org/security/2017/dsa-3778
http://www.openwall.com/lists/oss-security/2017/01/24/7Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/29/1Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/95874Third Party AdvisoryVDB Entry
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed445PatchThird Party Advisory
https://github.com/halostatue/minitar/issues/16ExploitThird Party Advisory
https://puppet.com/security/cve/cve-2016-10173
https://security.gentoo.org/glsa/201702-32
http://www.debian.org/security/2017/dsa-3778
http://www.openwall.com/lists/oss-security/2017/01/24/7Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/29/1Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/95874Third Party AdvisoryVDB Entry
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed445PatchThird Party Advisory
https://github.com/halostatue/minitar/issues/16ExploitThird Party Advisory
https://puppet.com/security/cve/cve-2016-10173

FAQ

What is CVE-2016-10173?

CVE-2016-10173 is a vulnerability with a CVSS score of 7.5 (HIGH). Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry.

How severe is CVE-2016-10173?

CVE-2016-10173 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-10173?

Check the references section above for vendor advisories and patch information. Affected products include: Minitar Archive-Tar-Minitar, Minitar Minitar.