CVE-2016-6232: Path Traversal
First published: Tue Aug 02 2016(Updated: )
Directory traversal vulnerability in KArchive before 5.24, as used in KDE Frameworks, allows remote attackers to write to arbitrary files via a ../ (dot dot slash) in a filename in an archive file, related to KNewsstuff downloads.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =15.10 | |
| Kde Karchives | <=5.24 | |
| debian/karchive | 5.78.0-2 5.103.0-1 5.115.0-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00000.html
- http://www.debian.org/security/2016/dsa-3643
- http://www.openwall.com/lists/oss-security/2016/07/16/2
- http://www.openwall.com/lists/oss-security/2016/07/16/3
- http://www.securityfocus.com/bid/91806
- http://www.ubuntu.com/usn/USN-3042-1
- https://quickgit.kde.org/?p=karchive.git&a=commit&h=0cb243f64eef45565741b27364cece7d5c349c37
- https://usn.ubuntu.com/4100-1/
- https://www.kde.org/info/security/advisory-20160724-1.txt
- https://quickgit.kde.org/?p=karchive.git&a=commit&h=0cb243f64eef45565741b27364cece7d5c349c37
- https://launchpad.net/bugs/cve/CVE-2016-6232
- https://lists.debian.org/debian-lts/2016/07/msg00144.html
- https://git.reviewboard.kde.org/r/128185/
- https://security-tracker.debian.org/tracker/CVE-2016-6232
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6232
- https://nvd.nist.gov/vuln/detail/CVE-2016-6232
- https://ubuntu.com/security/CVE-2016-6232
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2016-6232.
What is the title of the vulnerability?
The title of the vulnerability is 'Directory traversal vulnerability in KArchive before 5.24 as used in KDE Frameworks allows remote attackers to write to arbitrary files via a ../ (dot dot slash) in a filename in an archive file, related to KNewsstuff downloads.'
What software is affected by this vulnerability?
KArchive before version 5.24, KDE Frameworks, kde4libs, and karchive on various Ubuntu and Debian versions.
What is the severity of CVE-2016-6232?
The severity of CVE-2016-6232 is high with a CVSS score of 7.5.
How can I fix this vulnerability?
To fix this vulnerability, update to a version that includes the fix provided by the vendor.
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/softwarecombine
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- agent/trending
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/15.10
- vendor/kde
- canonical/kde karchives
- version/kde karchives/5.24
- package-manager/debian