How severe is CVE-2020-27833?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.1 out of 10.

What type of vulnerability is CVE-2020-27833?

This is classified as CWE-20, which is a common weakness in software security.

CVE-2020-27833

HIGH Year: 2020

CVSS v3 Score

7.1

High

CVSS v2 Score

4.6

Medium

Weakness Type

CWE-20

View all →

Vulnerability Description

A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first created pointing within the tarball, this allows further symbolic links to bypass the existing path check. This flaw allows the tarball to create links outside the tarball's parent directory, allowing for executables or configuration files to be overwritten, resulting in arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions up to and including openshift-clients-4.7.0-202104250659.p0.git.95881af are affected.

CVE-2009-2516

HIGH

CVSS:7.1(High)

The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold and SP1, and Server 2008 Gold does not properly validate data sent from user mode, which allows local users to gai...

CWE-202009

CVE-2015-3150

HIGH

CVSS:7.1(High)

abrt-dbus in Automatic Bug Reporting Tool (ABRT) allows local users to delete or change the ownership of arbitrary files via the problem directory argument to the (1) ChownProblemDir, (2) DeleteElemen...

CWE-202015

CVE-2015-9544

HIGH

CVSS:7.1(High)

An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStoragePostMessageApi.js does not implement any validation of the origin of web messages. Remote attack...

CWE-202015

CVE-2015-9545

HIGH

CVSS:7.1(High)

An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can en...

CWE-202015

CVE-2016-3185

HIGH

CVSS:7.1(High)

The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information ...

CWE-202016

CVE-2016-4449

HIGH

CVSS:7.1(High)

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrar...

CWE-202016

CVE-2020-27833

Vulnerability Description

Related Vulnerabilities

CVE-2009-2516

CVE-2015-3150

CVE-2015-9544

CVE-2015-9545

CVE-2016-3185

CVE-2016-4449