{"id":"UBUNTU-CVE-2017-1000026","details":"Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using \"..\" in tar archive entries","modified":"2025-07-16T07:50:27.504481Z","published":"2017-07-17T13:18:00Z","withdrawn":"2025-07-18T16:44:19Z","upstream":["CVE-2017-1000026"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-1000026"},{"type":"REPORT","url":"https://github.com/chef/mixlib-archive/pull/6"},{"type":"REPORT","url":"https://github.com/chef/mixlib-archive/pull/6/commits/3a874a24aed6ee93fbccf97efe0ecc999bafe87d"},{"type":"REPORT","url":"https://github.com/chef/mixlib-archive/blob/master/CHANGELOG.md"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-1000026"}],"affected":[{"package":{"name":"ruby-mixlib-archive","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/ruby-mixlib-archive@0.4.1-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.4.1-1"}]}],"ecosystem_specific":{"binaries":[{"binary_name":"ruby-mixlib-archive","binary_version":"0.4.1-1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-1000026.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}