#VU103730 Path traversal in ark - CVE-2024-57966

Cybersecurity Help s.r.o.

Published: 2025-02-10 | Updated: 2025-02-10

Vulnerability identifier: #VU103730

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-57966

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ark
Client/Desktop applications / Other client software

Vendor: KDE.org

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in libarchiveplugin.cpp. A remote attacker can use a specially crafted archive and install arbitrary files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ark: 24.01.75 - 24.11.90

External links
https://github.com/KDE/ark/commit/fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58
https://github.com/KDE/ark/compare/v24.11.90...v24.12.0
https://lists.debian.org/debian-lts-announce/2025/02/msg00007.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Slackware Linux update for ark

openEuler 24.03 LTS SP1 update for ark

openEuler 22.03 LTS SP3 update for ark

openEuler 22.03 LTS SP4 update for ark

openEuler 24.03 LTS update for ark

Path traversal in KDE ark