CVE-2016-6321

Source
https://cve.org/CVERecord?id=CVE-2016-6321
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6321.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-6321
Downstream
Related
Published
2016-12-09T22:59:00.170Z
Modified
2026-07-17T03:45:07.079676139Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Directory traversal vulnerability in the safernamesuffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.

References

Affected packages

Git / http.git.savannah.gnu.org/git/tar.git/

Affected ranges

Type
GIT
Repo
http://http.git.savannah.gnu.org/git/tar.git/
Events
Introduced
95256b3c07fecbacbefbf61d45b2e0634cda42cc
Last affected
20b55f0679d314568ec21ae6db1ea635494e292b
Database specific
{
    "cpe": [
        "cpe:2.3:a:gnu:tar:1.14:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.15:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.15.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.15.90:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.15.91:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.16:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.16.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.17:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.18:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.19:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.20:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.21:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.22:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.23:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.24:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.25:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.26:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.27:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.27.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.28:*:*:*:*:*:*:*",
        "cpe:2.3:a:gnu:tar:1.29:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "1.14"
        },
        {
            "last_affected": "1.14"
        },
        {
            "introduced": "1.15"
        },
        {
            "last_affected": "1.15"
        },
        {
            "introduced": "1.15.1"
        },
        {
            "last_affected": "1.15.1"
        },
        {
            "introduced": "1.15.90"
        },
        {
            "last_affected": "1.15.90"
        },
        {
            "introduced": "1.15.91"
        },
        {
            "last_affected": "1.15.91"
        },
        {
            "introduced": "1.16"
        },
        {
            "last_affected": "1.16"
        },
        {
            "introduced": "1.16.1"
        },
        {
            "last_affected": "1.16.1"
        },
        {
            "introduced": "1.17"
        },
        {
            "last_affected": "1.17"
        },
        {
            "introduced": "1.18"
        },
        {
            "last_affected": "1.18"
        },
        {
            "introduced": "1.19"
        },
        {
            "last_affected": "1.19"
        },
        {
            "introduced": "1.20"
        },
        {
            "last_affected": "1.20"
        },
        {
            "introduced": "1.21"
        },
        {
            "last_affected": "1.21"
        },
        {
            "introduced": "1.22"
        },
        {
            "last_affected": "1.22"
        },
        {
            "introduced": "1.23"
        },
        {
            "last_affected": "1.23"
        },
        {
            "introduced": "1.24"
        },
        {
            "last_affected": "1.24"
        },
        {
            "introduced": "1.25"
        },
        {
            "last_affected": "1.25"
        },
        {
            "introduced": "1.26"
        },
        {
            "last_affected": "1.26"
        },
        {
            "introduced": "1.27"
        },
        {
            "last_affected": "1.27"
        },
        {
            "introduced": "1.27.1"
        },
        {
            "last_affected": "1.27.1"
        },
        {
            "introduced": "1.28"
        },
        {
            "last_affected": "1.28"
        },
        {
            "introduced": "1.29"
        },
        {
            "last_affected": "1.29"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

1.*
1.14
1.15
1.15.1
1.15.90
1.15.91
1.16
1.16.1
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.26
1.27
1.27.1
1.28
1.29
Other
alpha_1_15_90
alpha_1_15_90_incremental_1
alpha_1_15_91
release_1_14
release_1_15
release_1_15_1
release_1_16
release_1_16_1
release_1_17
release_1_18
release_1_19
release_1_20
release_1_21
release_1_22
release_1_23
release_1_24
release_1_26
release_1_27
release_1_27_1
release_1_28
release_1_29

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6321.json"