#VU46109 UNIX symbolic link following in ark - CVE-2020-24654

Cybersecurity Help s.r.o.

Published: 2020-08-27

Vulnerability identifier: #VU46109

Vulnerability risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-24654

CWE-ID: CWE-61

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ark
Client/Desktop applications / Other client software

Vendor: KDE.org

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a symlink following issue when processing .tar archives in KDE ark. remote attacker can trick the victim to open a specially crafted .tar archive and overwrite arbitrary files on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ark: 2.6 - 20.07.90

External links
https://kde.org/info/security/advisory-20200827-1.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Ark

OpenSUSE Linux update for ark

Debian update for ark

UNIX symbolic link following in akonadi-calendar-tools (Alpine package)

Arch Linux update for ark

OpenSUSE Linux update for ark

Ubuntu update for ark

Fedora 32 update for ark

Fedora EPEL 8 update for ark