Updated: 2025-08-20 01:37:37.384801
Description:
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 6.8 |
| CVSS Version 3.x | 0.0 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Debian 13 | python | 3.6 | 0.0 | Released | CLSA-2025:1762527200 | 2025-11-07 21:16:46 | ||
| Debian 13 | python | 2.7 | 0.0 | Ignored | 2025-10-14 06:18:40 | |||
| Debian 13 | python | 3.8 | 0.0 | Not Vulnerable | 2026-01-08 10:43:43 | |||
| Debian 13 | python | 3.7 | 0.0 | In Progress | 2026-01-09 13:32:52 | |||
| EL 10 | python | 2.7 | 0.0 | Ignored | 2025-10-14 06:20:19 | We have reasoned not to port this fix since it was never backported to 2.x by upstream | ||
| EL 10 | python | 3.6 | 0.0 | Needs Triage | 2025-10-16 03:43:26 | We have reasoned not to port this fix since it was never backported to 2.x by upstream | ||
| EL 7 | python | 2.7 | 0.0 | Ignored | 2025-07-29 01:45:40 | We have reasoned not to port this fix since it was never backported to 2.x by upstream | ||
| EL 7 | python | 3.6 | 0.0 | Released | CLSA-2025:1749037497 | 2025-06-05 02:31:17 | We have reasoned not to port this fix since it was never backported to 2.x by upstream | |
| EL 8 | python | 2.7 | 0.0 | Ignored | 2025-07-29 01:45:40 | We have reasoned not to port this fix since it was never backported to 2.x by upstream | ||
| EL 8 | python | 3.6 | 0.0 | Released | CLSA-2025:1749037555 | 2025-06-05 02:31:16 | We have reasoned not to port this fix since it was never backported to 2.x by upstream |