CVE-2023-52138 – Engrampa archive manager for MATE environment h... (How to Fix)

Q: What is the severity of CVE-2023-52138?

CVE-2023-52138 has a CVSS score of 8.2 (HIGH). Engrampa archive manager for MATE environment has a path traversal vulnerability when extracting CPIO or ISO archives. Attackers can craft malicious archives that exploit symlink following to write arbitrary files, leading to remote command execution. Users who extract untrusted archives with vulnerable Engrampa versions are affected.

📋 TL;DR

Engrampa archive manager for MATE environment has a path traversal vulnerability when extracting CPIO or ISO archives. Attackers can craft malicious archives that exploit symlink following to write arbitrary files, leading to remote command execution. Users who extract untrusted archives with vulnerable Engrampa versions are affected.

💻 Affected Systems

Products:

Engrampa (MATE archive manager)

Versions: All versions before commit 63d5dfa9005c6b16d0f0ccd888cc859fca78f970

Operating Systems: Linux distributions with MATE desktop environment

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default CPIO archive handling; no special configuration required.

📦 What is this software?

Engrampa by Mate Desktop

View all CVEs affecting Engrampa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges via remote command execution when victim extracts malicious archive.

🟠

Likely Case

Local privilege escalation or arbitrary file writes leading to data theft or system manipulation.

🟢

If Mitigated

Limited impact if only trusted archives are processed or extraction occurs in sandboxed environment.

🌐 Internet-Facing: MEDIUM - Requires user interaction to extract malicious archive, but common in file sharing scenarios.

🏢 Internal Only: HIGH - Internal users could exploit via shared archives or phishing attachments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires victim to extract malicious archive; public proof-of-concept exists in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version containing commit 63d5dfa9005c6b16d0f0ccd888cc859fca78f970

Vendor Advisory: https://github.com/mate-desktop/engrampa/security/advisories/GHSA-c98h-v39w-3r7v

Restart Required: No

Instructions:

1. Update Engrampa via package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade engrampa. 3. For Fedora: sudo dnf update engrampa. 4. For source builds: apply commit 63d5dfa.

🔧 Temporary Workarounds

Disable CPIO extraction

linux

Remove or disable CPIO archive support in Engrampa

sudo apt remove cpio
sudo dnf remove cpio

Use alternative archive tool

linux

Extract archives with patched or alternative tools like file-roller

🧯 If You Can't Patch

Avoid extracting untrusted CPIO or ISO archives with Engrampa
Extract archives in isolated containers or virtual machines

🔍 How to Verify

Check if Vulnerable:

Check Engrampa version or verify if commit 63d5dfa is present in source

Check Version:

engrampa --version || dpkg -l engrampa || rpm -q engrampa

Verify Fix Applied:

Verify installed version includes commit 63d5dfa or check package version against patched releases

📡 Detection & Monitoring

Log Indicators:

Unusual archive extraction processes
Symlink creation in system directories

Network Indicators:

Archive downloads from untrusted sources

SIEM Query:

Process creation where parent is engrampa and command includes suspicious file writes

📊 Metadata

CVE ID: CVE-2023-52138

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CWE: CWE-25

Published: February 5, 2024

Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52138, you might also want to check these: