{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos8.4els/vex/2019/cve-2019-16680-els_os-centos8_4els.json" } ], "tracking": { "current_release_date": "2026-04-20T16:10:13Z", "generator": { "date": "2026-04-20T16:10:13Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2019-16680-ELS_OS-CENTOS8.4ELS", "initial_release_date": "2019-09-21T21:15:00Z", "revision_history": [ { "date": "2019-09-21T21:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-14T11:44:32Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-20T16:10:13Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2019-16680" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 8.4", "product": { "name": "Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:8.4:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" }, { "branches": [ { "category": "product_version", "name": "file-roller-0:3.28.1-3.el8.4.x86_64", "product": { "name": "file-roller-0:3.28.1-3.el8.4.x86_64", "product_id": "file-roller-0:3.28.1-3.el8.4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/file-roller@3.28.1-3.el8.4?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "product": { "name": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "product_id": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/file-roller@3.28.1-3.el8.4.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64" }, "product_reference": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "file-roller-0:3.28.1-3.el8.4.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.x86_64" }, "product_reference": "file-roller-0:3.28.1-3.el8.4.x86_64", "relates_to_product_reference": "CentOS-8.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-16680", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "notes": [ { "category": "description", "text": "An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-16680" }, { "category": "external", "summary": "https://bugzilla.gnome.org/show_bug.cgi?id=794337", "url": "https://bugzilla.gnome.org/show_bug.cgi?id=794337" }, { "category": "external", "summary": "https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2", "url": "https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2" }, { "category": "external", "summary": "https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1", "url": "https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/09/msg00032.html", "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00032.html" }, { "category": "external", "summary": "https://seclists.org/bugtraq/2019/Sep/57", "url": "https://seclists.org/bugtraq/2019/Sep/57" }, { "category": "external", "summary": "https://usn.ubuntu.com/4139-1/", "url": "https://usn.ubuntu.com/4139-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2019/dsa-4537", "url": "https://www.debian.org/security/2019/dsa-4537" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=1767594", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767594" } ], "release_date": "2019-09-21T21:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "CVE-2019-16680 affects the GNOME File Roller desktop archive manager and is only triggered when a user manually opens and extracts a malicious TAR file. The bug permits just a single “../” traversal during extraction and runs with the user’s own privileges, so it can only overwrite files that user can already modify, with no confidentiality or availability impact and no privilege escalation. As an interactive GUI–application issue rather than a background service or library used on servers/VMs, its practical risk in managed enterprise deployments is low and it can be safely deprioritized.", "product_ids": [ "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }