ALPINE-CVE-2022-1664

ALPINE-CVE-2022-1664 PUBLISHED CVSS 9.800000190734863 CRITICAL

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.21	dpkg	1.15.5.6-r1, 1.15.5.6-r2, 1.15.8.10-r0
Alpine:v3.15	dpkg	1.20.5-r0, 1.20.9-r0, 1.20.7.1-r0
Alpine:v3.23	dpkg	1.21.1-r0, 1.18.4-r0, 1.15.5.6-r1
Alpine:v3.16	dpkg	1.21.1-r1, 1.18.7-r0, 1.18.9-r1
Alpine:v3.19	dpkg	1.16.10-r0, 1.15.5.6-r0, 1.16.14-r0
Alpine:v3.17	dpkg	1.20.5-r0, 1.20.1-r0, 1.18.4-r1
Alpine:v3.20	dpkg	1.21.7-r0, 1.21.6-r0, 1.21.3-r0
Alpine:v3.13	dpkg	1.20.2-r0, 0, 1.15.5.6-r1
Alpine:v3.14	dpkg	0, 1.15.5.6-r0, 1.15.5.6-r1
Alpine:v3.18	dpkg	1.18.23-r1, 1.15.5.6-r2, 1.20.6-r0
Alpine:v3.22	dpkg	1.19.7-r0, 1.20.0-r0, 1.20.1-r0

Timeline

May 26, 2022 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2022-1664 advisory

Open in Interactive Console →