CVE-2021-23177

CVE	CVE-2021-23177
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-08-23 16:15:00 UTC
Updated	2022-12-03 14:16:00 UTC
Description	An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.

Problem Types: CWE-59

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Libarchive	Libarchive	All	All	All	All
Application	Redhat	Codeready Linux Builder	-	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems	8.0	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems	8.0	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian	8.0	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian	8.0	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	8.6	All	All	All

Reference	Source	Link	Tags
[SECURITY] [DLA 3202-1] libarchive security update	MLIST	lists.debian.org
2024245 – (CVE-2021-23177) CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target	MISC	bugzilla.redhat.com
Fix handling of symbolic link ACLs · libarchive/libarchive@fba4f12 · GitHub	MISC	github.com
[SECURITY] Linux: extracting a symlink with ACLs modifies ACLs of target · Issue #1565 · libarchive/libarchive · GitHub	MISC	github.com
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

159709 Oracle Enterprise Linux Security Update for libarchive (ELSA-2022-0892)
179253 Debian Security Update for libarchive (DLA 2987-1)
180329 Debian Security Update for libarchive (CVE-2021-23177)
181241 Debian Security Update for libarchive (DLA 3202-1)
198669 Ubuntu Security Notification for libarchive Vulnerabilities (USN-5291-1)
240147 Red Hat Update for libarchive (RHSA-2022:0892)
377362 Alibaba Cloud Linux Security Update for libarchive (ALINUX3-SA-2022:0019)
671424 EulerOS Security Update for libarchive (EulerOS-SA-2022-1353)
671445 EulerOS Security Update for libarchive (EulerOS-SA-2022-1430)
671481 EulerOS Security Update for libarchive (EulerOS-SA-2022-1451)
671500 EulerOS Security Update for libarchive (EulerOS-SA-2022-1490)
671522 EulerOS Security Update for libarchive (EulerOS-SA-2022-1509)
752598 SUSE Enterprise Linux Security Update for libarchive (SUSE-SU-2022:3306-1)
752619 SUSE Enterprise Linux Security Update for libarchive (SUSE-SU-2022:3393-1)
940470 AlmaLinux Security Update for libarchive (ALSA-2022:0892)
960713 Rocky Linux Security Update for libarchive (RLSA-2022:0892)