CVE-2020-27637: 
R for Windows vulnerability analysis and mitigation

The R programming language's default package manager CRAN version 4.0.2 and prior versions were affected by a path traversal vulnerability that could lead to server compromise. The vulnerability was discovered in 2020 and assigned CVE-2020-27637. This security issue specifically affects packages installed via the R CMD install cli command or the install.packages() function from the interpreter (Bishop Fox Advisory, NVD).

The vulnerability exists in the R packaging system which uses the tar.gz format for bundling source code. Attackers can create malicious packages containing path traversal payloads in the archive header of tar.gz files, allowing files to be written outside of the specified installation directory during unarchiving. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature and potential for remote exploitation (NVD, Bishop Fox Advisory).

Depending on the permissions of the user installing the malicious dependency, this vulnerability can be leveraged to overwrite legitimate binaries on the host, create cronjobs, or write SSH keys to the affected host resulting in compromise. The impact could lead to full server compromise through arbitrary file writes and code execution (Bishop Fox Advisory, Gentoo Advisory).

The vulnerability was fixed in CRAN version 4.0.3, released on October 10, 2020. Users and organizations are advised to update to version 4.0.3 or later to mitigate this security risk. No alternative workarounds are available (Bishop Fox Advisory, Gentoo Advisory).