Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-tenv-z949-pya9
Summary
Arbitrary file overwrite in tar-rs
When unpacking a tarball with the unpack_in-family of functions it's intended that only files within the specified directory are able to be written. Tarballs with hard links or symlinks, however, can be used to overwrite any file on the filesystem. Tarballs can contain multiple entries for the same file. A tarball which first contains an entry for a hard link or symlink pointing to any file on the filesystem will have the link created, and then afterwards if the same file is listed in the tarball the hard link will be rewritten and any file can be rewritten on the filesystem.
Aliases
0
alias CVE-2018-20990
1
alias GHSA-2367-c296-3mp2
Fixed_packages
0
url pkg:cargo/tar@0.4.16
purl pkg:cargo/tar@0.4.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:cargo/tar@0.4.16
1
url pkg:deb/debian/rust-tar@0?distro=trixie
purl pkg:deb/debian/rust-tar@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-tar@0%3Fdistro=trixie
2
url pkg:deb/debian/rust-tar@0.4.26-1?distro=trixie
purl pkg:deb/debian/rust-tar@0.4.26-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-88p2-xuah-2ygr
1
vulnerability VCID-ehdy-7aak-r3bt
2
vulnerability VCID-qj1y-b8m1-hyfm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-tar@0.4.26-1%3Fdistro=trixie
3
url pkg:deb/debian/rust-tar@0.4.38-1?distro=trixie
purl pkg:deb/debian/rust-tar@0.4.38-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ehdy-7aak-r3bt
1
vulnerability VCID-qj1y-b8m1-hyfm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-tar@0.4.38-1%3Fdistro=trixie
4
url pkg:deb/debian/rust-tar@0.4.43-4?distro=trixie
purl pkg:deb/debian/rust-tar@0.4.43-4?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ehdy-7aak-r3bt
1
vulnerability VCID-qj1y-b8m1-hyfm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-tar@0.4.43-4%3Fdistro=trixie
5
url pkg:deb/debian/rust-tar@0.4.45-2?distro=trixie
purl pkg:deb/debian/rust-tar@0.4.45-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-tar@0.4.45-2%3Fdistro=trixie
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-20990
reference_id
reference_type
scores
0
value 0.00299
scoring_system epss
scoring_elements 0.53232
published_at 2026-04-02T12:55:00Z
1
value 0.00299
scoring_system epss
scoring_elements 0.53286
published_at 2026-04-24T12:55:00Z
2
value 0.00299
scoring_system epss
scoring_elements 0.53314
published_at 2026-04-21T12:55:00Z
3
value 0.00299
scoring_system epss
scoring_elements 0.53334
published_at 2026-04-18T12:55:00Z
4
value 0.00299
scoring_system epss
scoring_elements 0.53329
published_at 2026-04-16T12:55:00Z
5
value 0.00299
scoring_system epss
scoring_elements 0.53291
published_at 2026-04-13T12:55:00Z
6
value 0.00299
scoring_system epss
scoring_elements 0.53308
published_at 2026-04-12T12:55:00Z
7
value 0.00299
scoring_system epss
scoring_elements 0.53324
published_at 2026-04-11T12:55:00Z
8
value 0.00299
scoring_system epss
scoring_elements 0.53272
published_at 2026-04-09T12:55:00Z
9
value 0.00299
scoring_system epss
scoring_elements 0.53278
published_at 2026-04-08T12:55:00Z
10
value 0.00299
scoring_system epss
scoring_elements 0.53208
published_at 2026-04-01T12:55:00Z
11
value 0.00299
scoring_system epss
scoring_elements 0.53225
published_at 2026-04-07T12:55:00Z
12
value 0.00299
scoring_system epss
scoring_elements 0.53257
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-20990
1
reference_url https://github.com/alexcrichton/tar-rs
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/alexcrichton/tar-rs
2
reference_url https://github.com/alexcrichton/tar-rs/commit/54651a87ae6ba7d81fcc72ffdee2ea7eca2c7e85
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/alexcrichton/tar-rs/commit/54651a87ae6ba7d81fcc72ffdee2ea7eca2c7e85
3
reference_url https://github.com/alexcrichton/tar-rs/pull/156
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/alexcrichton/tar-rs/pull/156
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-20990
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:N/C:N/I:P/A:P
1
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-20990
5
reference_url https://rustsec.org/advisories/RUSTSEC-2018-0002.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rustsec.org/advisories/RUSTSEC-2018-0002.html
6
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:tar_project:tar:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:tar_project:tar:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:tar_project:tar:*:*:*:*:*:*:*:*
7
reference_url https://github.com/advisories/GHSA-2367-c296-3mp2
reference_id GHSA-2367-c296-3mp2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2367-c296-3mp2
Weaknesses
0
cwe_id 59
name Improper Link Resolution Before File Access ('Link Following')
description The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Exploits
Severity_range_score6.4 - 8.9
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-tenv-z949-pya9