CVE-2021-28153 : An issue was discovered in GNOME GLib before 2.66.8. When g_file

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)

Published 2021-03-11 22:15:13

Updated 2023-02-03 15:02:05

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2021-28153

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Gnome » Glib
Versions before (<) 2.66.8
cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*
Matching versions
Broadcom » Brocade Fabric Operating System Firmware » Version: N/A
cpe:2.3:o:broadcom:brocade_fabric_operating_system_firmware:-:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-28153

EPSS FAQ

0.45%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-28153

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2021-28153

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-28153

https://gitlab.gnome.org/GNOME/glib/-/issues/2325

file-roller symlink attack (#2325) · Issues · GNOME / GLib · GitLab
Exploit;Issue Tracking;Patch;Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/06/msg00006.html

[SECURITY] [DLA 3044-1] glib2.0 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210416-0003/

CVE-2021-28153 GNOME GLib Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/

[SECURITY] Fedora 33 Update: glib2-2.66.8-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://security.gentoo.org/glsa/202107-13

GLib: Multiple vulnerabilities (GLSA 202107-13) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUTQPHZNZWX2DZR46QFLQZRHVMHIILJ/

[SECURITY] Fedora 33 Update: mingw-glib2-2.66.8-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-28153

Products affected by CVE-2021-28153

Exploit prediction scoring system (EPSS) score for CVE-2021-28153

CVSS scores for CVE-2021-28153

CWE ids for CVE-2021-28153

References for CVE-2021-28153