CVE-2021-41072 : squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversa

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

Published 2021-09-14 01:15:08

Updated 2023-05-30 06:15:18

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2021-41072

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Squashfs-tools Project » Squashfs-tools » Version: 4.5
cpe:2.3:a:squashfs-tools_project:squashfs-tools:4.5:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-41072

EPSS FAQ

3.59%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 87 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-41072

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:P	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2021-41072

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)
CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-41072

https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html

[SECURITY] [DLA 2789-1] squashfs-tools security update
Mailing List;Third Party Advisory
https://www.debian.org/security/2021/dsa-4987

Debian -- Security Information -- DSA-4987-1 squashfs-tools
Third Party Advisory
https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405

unsquashfs - unvalidated filepaths allow writing outside of destination · Issue #72 · plougher/squashfs-tools · GitHub
Exploit;Third Party Advisory
https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd

Unsquashfs: additional write outside destination directory exploit fix · plougher/squashfs-tools@e048580 · GitHub
Patch;Third Party Advisory
https://security.gentoo.org/glsa/202305-29

squashfs-tools: Multiple Vulnerabilities (GLSA 202305-29) — Gentoo security

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-41072

Products affected by CVE-2021-41072

Exploit prediction scoring system (EPSS) score for CVE-2021-41072

CVSS scores for CVE-2021-41072

CWE ids for CVE-2021-41072

References for CVE-2021-41072