Vulnerability-Lookup

alsa-2026:30852

Vulnerability from osv_almalinux

Published

2026-06-29 00:00

Modified

2026-06-29 10:29

Summary

Important: perl-Archive-Tar security update

Details

Archive::Tar provides an object oriented mechanism for handling tar files. It provides class methods for quick and easy files handling while also allowing for the creation of tar file objects for custom manipulation. If you have the IO::Zlib module installed, Archive::Tar will also support compressed or gzipped tar files.

Security Fix(es):

perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows arbitrary file access (CVE-2026-42496)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:30852	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-42496	REPORT
	https://bugzilla.redhat.com/2481314	REPORT
	https://errata.almalinux.org/8/ALSA-2026-30852.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "perl-Archive-Tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.30-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Archive::Tar provides an object oriented mechanism for handling tar files. It provides class methods for quick and easy files handling while also allowing for the creation of tar file objects for custom manipulation. If you have the IO::Zlib module installed, Archive::Tar will also support compressed or gzipped tar files.  \n\nSecurity Fix(es):  \n\n  * perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows arbitrary file access (CVE-2026-42496)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:30852",
  "modified": "2026-06-29T10:29:37Z",
  "published": "2026-06-29T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:30852"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42496"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481314"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-30852.html"
    }
  ],
  "related": [
    "CVE-2026-42496"
  ],
  "summary": "Important: perl-Archive-Tar security update"
}

CVE-2026-42496 (GCVE-0-2026-42496)

Vulnerability from cvelistv5 – Published: 2026-05-26 00:17 – Updated: 2026-05-28 13:08

Title

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory

Summary

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

CPANSec

References

3 references

URL	Tags
https://github.com/jib/archive-tar-new/commit/17c…	patch
https://metacpan.org/release/BINGOS/Archive-Tar-3…	release-notes
https://www.cve.org/CVERecord?id=CVE-2026-42497	related

Impacted products

1 product

Vendor	Product	Version
BINGOS	Archive::Tar	Affected: 0 , < 3.08 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42496",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T13:08:28.377579Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T13:08:37.326Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Archive-Tar",
          "product": "Archive::Tar",
          "programFiles": [
            "lib/Archive/Tar.pm"
          ],
          "programRoutines": [
            {
              "name": "Archive::Tar::_make_special_file"
            }
          ],
          "repo": "https://github.com/jib/archive-tar-new",
          "vendor": "BINGOS",
          "versions": [
            {
              "lessThan": "3.08",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.\n\n_make_special_file() passes the tar header\u0027s linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.\n\nA subsequent open through the extracted name reads or writes the attacker chosen path."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T00:17:19.110Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42497"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to Archive::Tar 3.08 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-12T00:00:00.000Z",
          "value": "Issue reported."
        },
        {
          "lang": "en",
          "time": "2026-05-22T00:00:00.000Z",
          "value": "Version 3.08 released."
        }
      ],
      "title": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-42496",
    "datePublished": "2026-05-26T00:17:19.110Z",
    "dateReserved": "2026-04-27T18:34:48.417Z",
    "dateUpdated": "2026-05-28T13:08:37.326Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2026:30852

Vulnerability from osv_almalinux

CVE-2026-42496 (GCVE-0-2026-42496)

Tags

Sightings

Nomenclature