CVE-2016-6321

HIGH7.5EPSS 14.3%

tar - security update

Published: 12/9/2016Modified: 4/28/2026

Description

Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.

Affected packages (4)

Alpine/tarfrom 0, < 1.29-r1
Debian/tarfrom 0, < 1.29b-1.1
Debian/tarfrom 0, < 1.26+dfsg-0.1+deb7u1
Debian/tarfrom 0, < 1.27.1-2+deb8u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2016-6321
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-6321