CVE-2024-57966

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-57966
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-57966.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-57966
Downstream
Related
Published
2025-02-03T05:15:10.080Z
Modified
2025-11-20T12:28:55.807364Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L CVSS Calculator
Summary
[none]
Details

libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive.

References

Affected packages

Git / github.com/kde/ark

Affected ranges

Type
GIT
Repo
https://github.com/kde/ark
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58

Affected versions

v1.*

v1.1.0

v14.*

v14.11.80
v14.11.90
v14.11.95
v14.11.97
v14.12.0
v14.12.1
v14.12.2

v15.*

v15.03.80
v15.03.90
v15.03.95
v15.03.97
v15.04.0
v15.04.1
v15.04.2
v15.07.80
v15.07.90
v15.08.0
v15.08.1
v15.08.2
v15.08.3
v15.11.80
v15.11.90
v15.12.0
v15.12.1
v15.12.2
v15.12.3

v16.*

v16.03.80
v16.03.90
v16.04.0
v16.04.1
v16.04.2
v16.04.3
v16.07.80
v16.07.90
v16.08.0
v16.08.1
v16.08.2
v16.11.80
v16.11.90
v16.12.0
v16.12.1
v16.12.2

v17.*

v17.03.80
v17.03.90
v17.04.0
v17.04.1
v17.04.2
v17.04.3
v17.07.80
v17.07.90
v17.08.0
v17.08.1
v17.08.2
v17.11.80
v17.11.90
v17.12.0
v17.12.1
v17.12.2
v17.12.3

v18.*

v18.03.80
v18.03.90
v18.04.0
v18.04.1
v18.04.2
v18.07.80
v18.07.90
v18.08.0
v18.08.1
v18.08.2
v18.11.80
v18.11.90
v18.12.0
v18.12.1
v18.12.2

v19.*

v19.03.80
v19.03.90
v19.04.0
v19.04.1
v19.04.2
v19.07.80
v19.07.90
v19.08.0
v19.08.1
v19.08.2
v19.11.80
v19.11.90
v19.12.0
v19.12.1
v19.12.2
v19.12.3

v2.*

v2.0.0
v2.1.0
v2.2.0

v20.*

v20.03.80
v20.03.90
v20.04.0
v20.04.1
v20.04.2
v20.04.3
v20.07.80
v20.07.90
v20.08.0
v20.11.80
v20.11.90
v20.12.0
v20.12.1

v21.*

v21.03.80
v21.03.90
v21.04.0
v21.04.1
v21.04.2
v21.04.3
v21.11.80
v21.11.90
v21.12.0
v21.12.1
v21.12.2

v22.*

v22.03.80
v22.04.0
v22.04.1
v22.04.2
v22.04.3
v22.07.80
v22.07.90
v22.08.0
v22.08.1

v24.*

v24.01.75
v24.01.80
v24.01.85
v24.01.90
v24.11.80
v24.11.90

v3.*

v3.0.0
v3.2.0
v3.3.0
v3.4.0
v3.4.0-beta1
v3.4.0-beta2
v3.4.90
v3.4.91
v3.80.2
v3.80.3
v3.90.1
v3.93
v3.94
v3.95
v3.96
v3.97

v4.*

v4.0.0
v4.0.71
v4.0.80
v4.0.83
v4.0.98
v4.1.80
v4.1.85
v4.1.96
v4.10.0
v4.10.1
v4.10.2
v4.10.3
v4.10.4
v4.10.5
v4.10.80
v4.10.90
v4.11.80
v4.11.90
v4.11.95
v4.11.97
v4.12.0
v4.12.1
v4.12.2
v4.12.3
v4.12.80
v4.12.90
v4.12.95
v4.12.97
v4.13.0
v4.13.1
v4.13.80
v4.13.90
v4.13.95
v4.13.97
v4.14.0
v4.14.1
v4.14.2
v4.14.3
v4.2.85
v4.2.90
v4.2.95
v4.3.80
v4.3.85
v4.3.90
v4.4.80
v4.4.85
v4.4.90
v4.5.80
v4.5.85
v4.5.90
v4.5.95
v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.6.80
v4.6.90
v4.6.95
v4.7.80
v4.7.90
v4.7.95
v4.7.97
v4.8.0
v4.8.1
v4.8.2
v4.8.3
v4.8.4
v4.8.5
v4.8.80
v4.8.90
v4.8.95
v4.8.97
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v4.9.4
v4.9.80
v4.9.90
v4.9.95
v4.9.97
v4.9.98

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "target": {
            "function": "LibarchivePlugin::extractionFlags",
            "file": "plugins/libarchive/libarchiveplugin.cpp"
        },
        "id": "CVE-2024-57966-817be60b",
        "signature_type": "Function",
        "source": "https://github.com/kde/ark/commit/fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58",
        "digest": {
            "length": 153.0,
            "function_hash": "92950249168408824949588827210376077342"
        },
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "plugins/libarchive/libarchiveplugin.cpp"
        },
        "id": "CVE-2024-57966-bd1f9628",
        "signature_type": "Line",
        "source": "https://github.com/kde/ark/commit/fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "220204647504994727138907679677301311624",
                "222038716733348899504575798418846489909",
                "229032019905062076456928908007330015070",
                "65978093045713843273613591632343073311",
                "26735906475720014663809280306154077684",
                "73617774723263138499033682547975979456",
                "221547668275580750425446489519470341178",
                "260338842149791753201417877460226876978",
                "224597503903516629171941227306572650715",
                "339066316322557546373799136365671747786",
                "61825346247672945957102480452548455776"
            ]
        },
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "autotests/kerfuffle/extracttest.cpp"
        },
        "id": "CVE-2024-57966-f813b5de",
        "signature_type": "Line",
        "source": "https://github.com/kde/ark/commit/fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "332267113243607604279641050664915530879",
                "198775865366999714708383753794641788723",
                "137190222825344850611546818937876466641"
            ]
        },
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "target": {
            "function": "ExtractTest::testExtraction_data",
            "file": "autotests/kerfuffle/extracttest.cpp"
        },
        "id": "CVE-2024-57966-f85700cc",
        "signature_type": "Function",
        "source": "https://github.com/kde/ark/commit/fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58",
        "digest": {
            "length": 15280.0,
            "function_hash": "80977258953651137448340464034251151328"
        },
        "deprecated": false
    }
]