Vulnerability Details : CVE-2021-39208
Potential exploit
SharpCompress is a fully managed C# library to deal with many compression types and formats. Versions prior to 0.29.0 are vulnerable to partial path traversal. SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent extraction outside the destination directory the destinationFileName path is verified to begin with fullDestinationDirectoryPath. However, prior to version 0.29.0, it is not enforced that fullDestinationDirectoryPath ends with slash. If the destinationDirectory is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case. This issue is fixed in SharpCompress version 0.29.0.
Vulnerability category: Directory traversal
Products affected by CVE-2021-39208
- cpe:2.3:a:sharpcompress_project:sharpcompress:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-39208
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-39208
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2021-39208
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-39208
-
https://github.com/adamhathcock/sharpcompress/releases/tag/0.29.0
Release 0.29.0 - minor behavior change and fixes · adamhathcock/sharpcompress · GitHubRelease Notes;Third Party Advisory
-
https://github.com/adamhathcock/sharpcompress/pull/614
Ensure destination directory exists. by adamhathcock · Pull Request #614 · adamhathcock/sharpcompress · GitHubPatch;Third Party Advisory
-
https://github.com/adamhathcock/sharpcompress/security/advisories/GHSA-jp7f-grcv-6mjf
WriteEntryToDirectory used for an archive extraction is vulnerable to partial path traversal. · Advisory · adamhathcock/sharpcompress · GitHubExploit;Third Party Advisory
Jump to