RubySec

Providing security resources for the Ruby community

CVE-2016-10173 (minitar): Minitar Directory Traversal Vulnerability

ADVISORIES

GEM

minitar

SEVERITY

CVSS v3: 7.5 (High)

PATCHED VERSIONS

  • >= 0.6.0

DESCRIPTION

Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Analogous vulnerabilities for unzip and tar: https://www.cvedetails.com/cve/CVE-2001-1268/ and http://www.cvedetails.com/cve/CVE-2001-1267/

Credit: ecneladis