CVE-2022-1664
directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
La función Dpkg::Source::Archive en dpkg, el sistema de administración de paquetes de Debian, versiones anteriores a 1.21.8, 1.20.10, 1.19.8, 1.18.26, es propenso a una vulnerabilidad de salto de directorio. Cuando son extraídos paquetes fuente no confiables en formatos de paquetes fuente v2 y v3 que incluyen un debian.tar, la extracción en el lugar puede conllevar a situaciones de salto de directorio en los tarballs orig.tar y debian.tar especialmente diseñados
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-10 CVE Reserved
- 2022-05-26 CVE Published
- 2024-01-15 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20221007-0002 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html | 2022-12-03 | |
| https://lists.debian.org/debian-security-announce/2022/msg00115.html | 2022-12-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Debian Search vendor "Debian" | Dpkg Search vendor "Debian" for product "Dpkg" | >= 1.14.17 < 1.18.26 Search vendor "Debian" for product "Dpkg" and version " >= 1.14.17 < 1.18.26" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Dpkg Search vendor "Debian" for product "Dpkg" | >= 1.19.0 < 1.19.8 Search vendor "Debian" for product "Dpkg" and version " >= 1.19.0 < 1.19.8" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Dpkg Search vendor "Debian" for product "Dpkg" | >= 1.20.0 < 1.20.10 Search vendor "Debian" for product "Dpkg" and version " >= 1.20.0 < 1.20.10" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Dpkg Search vendor "Debian" for product "Dpkg" | >= 1.21.0 < 1.21.8 Search vendor "Debian" for product "Dpkg" and version " >= 1.21.0 < 1.21.8" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Ontap Select Deploy Administration Utility Search vendor "Netapp" for product "Ontap Select Deploy Administration Utility" | - | - |
Affected
| ||||||