CVE-2020-24654

Publication date 1 September 2020

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ark	20.04 LTS focal	Fixed 4:19.12.3-0ubuntu1.2
	18.04 LTS bionic	Fixed 4:17.12.3-0ubuntu1.2
	16.04 LTS xenial	Fixed 4:15.12.3-0ubuntu1.2
	14.04 LTS trusty	Not in release

How can I get the fixes?
What do statuses mean?

Severity score breakdown

Parameter	Value
Base score	3.3 · Low
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-4482-1
Ark vulnerability
1 September 2020

Other references

https://www.cve.org/CVERecord?id=CVE-2020-24654