DEBIAN-CVE-2026-23949
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-23949
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23949.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-23949
- Upstream
- Published
- 2026-01-20T01:15:57.723Z
- Modified
- 2026-01-24T04:18:48.271315Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the
jaraco.context.tarball()function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The stripfirstcomponent filter splits the path on the first/and extracts the second component, while allowing../sequences. Paths likedummy_dir/../../etc/passwdbecome../../etc/passwd. Note that this suffers from a nested tarball attack as well with multi-level tar files such asdummy_dir/inner.tar.gz, where the inner.tar.gz includes a traversaldummy_dir/../../config/.envthat also gets translated to../../config/.env. Version 6.1.0 contains a patch for the issue. - References
Affected packages
Debian:13 / jaraco.context
Package
- Name
- jaraco.context
- Purl
- pkg:deb/debian/jaraco.context?arch=source
Debian:14 / jaraco.context
Package
- Name
- jaraco.context
- Purl
- pkg:deb/debian/jaraco.context?arch=source
Debian:13 / setuptools
Package
- Name
- setuptools
- Purl
- pkg:deb/debian/setuptools?arch=source
Debian:14 / setuptools
Package
- Name
- setuptools
- Purl
- pkg:deb/debian/setuptools?arch=source