Updated: 2025-08-20 01:37:37.384801
Description:
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 6.8 |
| CVSS Version 3.x | 0.0 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Debian 10 | python | 3.6 | 0.0 | Released | CLSA-2025:1762528276 | 2025-11-07 21:27:23 | ||
| Debian 10 | python | 2.7 | 0.0 | Ignored | 2025-10-14 06:38:35 | |||
| Debian 11 | python | 2.7 | 0.0 | Ignored | 2025-10-14 06:38:35 | We have reasoned not to port this fix since it was never backported to 2.x by upstream | ||
| Debian 11 | python | 3.6 | 0.0 | Released | 2025-11-07 21:27:22 | We have reasoned not to port this fix since it was never backported to 2.x by upstream | ||
| Debian 12 | python | 3.9 | 0.0 | Not Vulnerable | 2026-01-08 10:42:42 | |||
| Debian 12 | python | 3.7 | 0.0 | In Progress | 2026-01-09 13:32:52 | |||
| Debian 12 | python | 3.6 | 0.0 | Released | CLSA-2025:1762527353 | 2025-11-07 21:27:21 | ||
| Debian 12 | python | 2.7 | 0.0 | Ignored | 2025-10-14 06:38:34 | |||
| Debian 12 | python | 3.8 | 0.0 | Not Vulnerable | 2026-01-08 10:43:42 | |||
| Debian 13 | python | 3.9 | 0.0 | Not Vulnerable | 2026-01-08 10:42:41 |