CVE-2022-1664
- Source
- https://cve.org/CVERecord?id=CVE-2022-1664
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-1664.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-1664
- Downstream
- Related
- Published
- 2022-05-26T14:15:08.010Z
- Modified
- 2026-03-14T11:26:55.162901Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
- References
-
- https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html
- https://lists.debian.org/debian-security-announce/2022/msg00115.html
- https://security.netapp.com/advisory/ntap-20221007-0002/
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be
Affected packages
Git / git.dpkg.org/cgit/dpkg/dpkg.git
Affected ranges
- Type
- GIT
- Repo
- https://git.dpkg.org/cgit/dpkg/dpkg.git
- Events
-
Introduced47d2e9c479d6650e4980231606cd43c744e3c0c9Fixede195a9f2ffd547e332f8f148a4135f537a5e77e7Introduced90d2887c67f2b1d0915169cc49725bb774083abaFixed99902811cf1b1f41eed3bce2fc7ab8a4f02c364bIntroduced314ac02663c5bd1a82b34745150bf13a39a549a3Fixed6247c7c3da135b41ac94af82e0b739cb40ba595dIntroduced1f4238aba8850f83280ca88e14c7b48ee7e07d7eFixeda154134fe70c0b823ae14905bdc33b64e7dcd454Fixed1f23dddc17f69c9598477098c7fb9936e15fa495Fixed58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5Fixed7a6c03cb34d4a09f35df2f10779cbf1b70a5200bFixedfaa4c92debe45412bfcf8a44f26e827800bb24be
- Database specific
{ "versions": [ { "introduced": "1.14.17" }, { "fixed": "1.18.26" }, { "introduced": "1.19.0" }, { "fixed": "1.19.8" }, { "introduced": "1.20.0" }, { "fixed": "1.20.10" }, { "introduced": "1.21.0" }, { "fixed": "1.21.8" } ] }
Affected versions
1.*
1.14.17
1.14.18
1.14.19
1.14.20
1.14.21
1.14.22
1.14.23
1.14.24
1.14.25
1.15.0
1.15.1
1.15.2
1.15.3
1.15.3.1
1.15.4
1.15.4.1
1.15.5
1.15.5.1
1.15.5.2
1.15.5.3
1.15.5.4
1.15.5.5
1.15.5.6
1.15.6
1.15.6.1
1.15.7
1.15.7.1
1.15.7.2
1.15.8
1.15.8.1
1.15.8.10
1.15.8.2
1.15.8.3
1.15.8.4
1.15.8.5
1.15.8.6
1.15.8.7
1.15.8.8
1.15.8.9
1.16.0
1.16.0.1
1.16.0.2
1.16.0.3
1.16.1
1.16.1.1
1.16.1.2
1.16.10
1.16.2
1.16.3
1.16.4
1.16.4.1
1.16.4.2
1.16.4.3
1.16.5
1.16.6
1.16.7
1.16.8
1.16.9
1.17.0
1.17.1
1.17.10
1.17.11
1.17.12
1.17.13
1.17.14
1.17.15
1.17.16
1.17.17
1.17.18
1.17.19
1.17.2
1.17.20
1.17.21
1.17.22
1.17.23
1.17.3
1.17.4
1.17.5
1.17.6
1.17.7
1.17.8
1.17.9
1.18.0
1.18.1
1.18.10
1.18.11
1.18.12
1.18.13
1.18.14
1.18.15
1.18.16
1.18.17
1.18.18
1.18.19
1.18.2
1.18.20
1.18.21
1.18.22
1.18.23
1.18.24
1.18.25
1.18.3
1.18.4
1.18.5
1.18.6
1.18.7
1.18.8
1.18.9
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
1.19.5
1.19.6
1.19.7
1.20.0
1.20.1
1.20.2
1.20.3
1.20.4
1.20.5
1.20.6
1.20.7
1.20.8
1.20.9
1.21.0
1.21.1
1.21.2
1.21.3
1.21.4
1.21.5
1.21.6
1.21.7
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-1664.json"