CVE Vulnerability

CVE-2021-41072

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

5.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8.1 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405 Exploit Third Party Advisory
https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd Patch Third Party Advisory
https://www.debian.org/security/2021/dsa-4987 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:squashfs-tools_project:squashfs-tools:4.5:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Information

Published : 2021-09-14 01:15

Updated : 2022-06-28 02:11

NVD link : CVE-2021-41072

Mitre link : CVE-2021-41072

Products Affected
No products.
CWE
CWE-22

CWE-59