← Volver a CVEs
CVE-2021-40153
HIGH8.1
Descripcion
squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.
Detalles CVE
Puntuacion CVSS v3.18.1
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado8/27/2021
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
debian:debian_linuxfedoraproject:fedoraredhat:enterprise_linuxsquashfs-tools_project:squashfs-tools
Debilidades (CWE)
CWE-22
Referencias
https://github.com/plougher/squashfs-tools/commit/79b5a555058eef4e1e7ff220c344d39f8cd09646(cve@mitre.org)
https://github.com/plougher/squashfs-tools/issues/72(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/(cve@mitre.org)
https://security.gentoo.org/glsa/202305-29(cve@mitre.org)
https://www.debian.org/security/2021/dsa-4967(cve@mitre.org)
https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1941790(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/plougher/squashfs-tools/commit/79b5a555058eef4e1e7ff220c344d39f8cd09646(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/plougher/squashfs-tools/issues/72(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/08/msg00030.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/(af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202305-29(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-4967(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.