UBUNTU-CVE-2026-23949

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-23949

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23949.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-23949

Upstream

CVE-2026-23949

Published

2026-01-20T01:15:00Z

Modified

2026-01-21T18:15:58.993251Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the jaraco.context.tarball() function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The stripfirstcomponent filter splits the path on the first / and extracts the second component, while allowing ../ sequences. Paths like dummy_dir/../../etc/passwd become ../../etc/passwd. Note that this suffers from a nested tarball attack as well with multi-level tar files such as dummy_dir/inner.tar.gz, where the inner.tar.gz includes a traversal dummy_dir/../../config/.env that also gets translated to ../../config/.env. Version 6.1.0 contains a patch for the issue.

References

Affected packages

Ubuntu:25.10 / jaraco.context

Package

Name: jaraco.context
Purl: pkg:deb/ubuntu/jaraco.context@6.0.1-1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.0.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-jaraco.context",
            "binary_version": "6.0.1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23949.json"