CVE-2021-28650
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-28650
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-28650.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-28650
- Downstream
- Related
- Published
- 2021-03-17T06:15:14Z
- Modified
- 2025-10-15T12:46:46.926906Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.
- References
Affected packages
Git / gitlab.gnome.org/GNOME/gnome-autoar
Affected ranges
- Type
- GIT
- Repo
- https://gitlab.gnome.org/GNOME/gnome-autoar
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4",
"signature_type": "Function",
"digest": {
"length": 284.0,
"function_hash": "99373367613554809577081196480085047086"
},
"deprecated": false,
"target": {
"function": "autoar_extractor_check_file_conflict",
"file": "gnome-autoar/autoar-extractor.c"
},
"id": "CVE-2021-28650-070f0175"
},
{
"signature_version": "v1",
"source": "https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"202873567088741737755139773778856684414",
"253786553022999834027812518448673111945",
"86261100617153731251853289598727974625",
"160936512739695133357499748907602668169",
"137374394736149040872317987219553189945",
"270732997768496155435744769357381582851",
"244127320031209311580005316087106093783",
"157603545734204621894498381227191520218",
"231909359212710678941792030726133514565",
"322724400400682001161733752636446320027",
"148762820276148228685341759328016027759",
"80526361010997095919849916967872224147",
"45654882263623040256181518074595264081",
"290449237765823922557442662957704297919",
"143508716903283642467802267094980547991",
"253341687466085229640557304141302650248",
"105135349804760838859480469610730392589",
"240226979070748456517245327310687153925",
"339279520886571069745447021750983878169",
"145062458361469922140567365199213942456",
"240666612790968850778280645138938878176",
"85682285750154980863096319146138418682",
"276989541056842942275151211316468774779",
"10958260111633119823476386537609705369",
"112240283909046655480806255810305227124",
"171209949003521789335708262986558689800",
"94354684989209136025792448985348421424",
"313182116061384494489975579325336736942",
"172040966644835096366579898560909236132",
"226674900431117975290627699646407248066",
"216325880258227678019308110977562702078",
"56216488792594233498650375158183283213",
"173766603905420724977676456036425120486",
"301181788405733540170702592044020477872"
]
},
"deprecated": false,
"target": {
"file": "gnome-autoar/autoar-extractor.c"
},
"id": "CVE-2021-28650-1ba0da16"
},
{
"signature_version": "v1",
"source": "https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4",
"signature_type": "Function",
"digest": {
"length": 1996.0,
"function_hash": "10935086851531793748285076384108417827"
},
"deprecated": false,
"target": {
"function": "autoar_extractor_step_extract",
"file": "gnome-autoar/autoar-extractor.c"
},
"id": "CVE-2021-28650-d12469aa"
}
]