VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tenv-z949-pya9

Essentials
Severities (28)
References (8)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tenv-z949-pya9
Aliases	CVE-2018-20990 GHSA-2367-c296-3mp2
Summary	Arbitrary file overwrite in tar-rs When unpacking a tarball with the unpack_in-family of functions it's intended that only files within the specified directory are able to be written. Tarballs with hard links or symlinks, however, can be used to overwrite any file on the filesystem. Tarballs can contain multiple entries for the same file. A tarball which first contains an entry for a hard link or symlink pointing to any file on the filesystem will have the link created, and then afterwards if the same file is listed in the tarball the hard link will be rewritten and any file can be rewritten on the filesystem.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-59

Improper Link Resolution Before File Access ('Link Following')

System	Score	Found at
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
epss	0.00299	https://api.first.org/data/v1/epss?cve=CVE-2018-20990
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-2367-c296-3mp2
cvssv3.1	7.5	https://github.com/alexcrichton/tar-rs
generic_textual	HIGH	https://github.com/alexcrichton/tar-rs
cvssv3.1	7.5	https://github.com/alexcrichton/tar-rs/commit/54651a87ae6ba7d81fcc72ffdee2ea7eca2c7e85
generic_textual	HIGH	https://github.com/alexcrichton/tar-rs/commit/54651a87ae6ba7d81fcc72ffdee2ea7eca2c7e85
cvssv3.1	7.5	https://github.com/alexcrichton/tar-rs/pull/156
generic_textual	HIGH	https://github.com/alexcrichton/tar-rs/pull/156
cvssv2	6.4	https://nvd.nist.gov/vuln/detail/CVE-2018-20990
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2018-20990
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2018-20990
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2018-20990
cvssv3.1	7.5	https://rustsec.org/advisories/RUSTSEC-2018-0002.html
generic_textual	HIGH	https://rustsec.org/advisories/RUSTSEC-2018-0002.html

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2018-20990
		https://github.com/alexcrichton/tar-rs
		https://github.com/alexcrichton/tar-rs/commit/54651a87ae6ba7d81fcc72ffdee2ea7eca2c7e85
		https://github.com/alexcrichton/tar-rs/pull/156
		https://nvd.nist.gov/vuln/detail/CVE-2018-20990
		https://rustsec.org/advisories/RUSTSEC-2018-0002.html
cpe:2.3:a:tar_project:tar::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:tar_project:tar::::::::
GHSA-2367-c296-3mp2		https://github.com/advisories/GHSA-2367-c296-3mp2

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/alexcrichton/tar-rs

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/alexcrichton/tar-rs/commit/54651a87ae6ba7d81fcc72ffdee2ea7eca2c7e85

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/alexcrichton/tar-rs/pull/156

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2018-20990

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-20990

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-20990

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://rustsec.org/advisories/RUSTSEC-2018-0002.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.53208
EPSS Score	0.00299
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:01:40.458581+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-2367-c296-3mp2/GHSA-2367-c296-3mp2.json	38.0.0