CVE-2021-31566

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-31566
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-08-23 16:15:00 UTC
Updated2024-03-27 16:04:00 UTC
DescriptionAn improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.

Risk And Classification

Problem Types: CWE-59

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Fedoraproject Fedora 35 All All All
Application Libarchive Libarchive All All All All
Application Redhat Codeready Linux Builder - All All All
Operating System Redhat Enterprise Linux 8.0 All All All
Operating System Redhat Enterprise Linux 8.0 All All All
Operating System Redhat Enterprise Linux Eus 8.6 All All All
Operating System Redhat Enterprise Linux Eus 8.6 All All All
Operating System Redhat Enterprise Linux For Ibm Z Systems 8.0 All All All
Operating System Redhat Enterprise Linux For Ibm Z Systems 8.0 All All All
Operating System Redhat Enterprise Linux For Ibm Z Systems Eus 8.6 All All All
Operating System Redhat Enterprise Linux For Ibm Z Systems Eus 8.6 All All All
Operating System Redhat Enterprise Linux For Power Little Endian 8.0 All All All
Operating System Redhat Enterprise Linux For Power Little Endian 8.0 All All All
Operating System Redhat Enterprise Linux For Power Little Endian Eus 8.6 All All All
Operating System Redhat Enterprise Linux For Power Little Endian Eus 8.6 All All All
Operating System Redhat Enterprise Linux Server Aus 8.6 All All All
Operating System Redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions 8.6 All All All
Operating System Redhat Enterprise Linux Server Tus 8.6 All All All
Application Splunk Universal Forwarder All All All All
Application Splunk Universal Forwarder 9.1.0 All All All

References

ReferenceSourceLinkTags
Red Hat Customer Portal - Access to 24x7 support and knowledge MISC access.redhat.com
[SECURITY] Processing fixup entries may follow symbolic links · Issue #1566 · libarchive/libarchive · GitHub MISC github.com
[SECURITY] [DLA 3202-1] libarchive security update MLIST lists.debian.org
2024237 – (CVE-2021-31566) CVE-2021-31566 libarchive: symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive MISC bugzilla.redhat.com
Do not follow symlinks when processing the fixup list · libarchive/libarchive@b41daec · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159709 Oracle Enterprise Linux Security Update for libarchive (ELSA-2022-0892)
  • 179253 Debian Security Update for libarchive (DLA 2987-1)
  • 180499 Debian Security Update for libarchive (CVE-2021-31566)
  • 181241 Debian Security Update for libarchive (DLA 3202-1)
  • 198669 Ubuntu Security Notification for libarchive Vulnerabilities (USN-5291-1)
  • 240147 Red Hat Update for libarchive (RHSA-2022:0892)
  • 282426 Fedora Security Update for libarchive (FEDORA-2022-9bb794c5f5)
  • 354321 Amazon Linux Security Advisory for libarchive : ALAS2022-2022-201
  • 354419 Amazon Linux Security Advisory for libarchive : ALAS2022-2022-059
  • 354576 Amazon Linux Security Advisory for libarchive : ALAS-2022-201
  • 355055 Amazon Linux Security Advisory for libarchive : AL2012-2022-379
  • 355173 Amazon Linux Security Advisory for libarchive : ALAS2023-2023-071
  • 356757 Amazon Linux Security Advisory for libarchive : ALAS2-2023-2374
  • 376502 Cygwin libarchive Package Multiple Security Vulnerabilities
  • 377362 Alibaba Cloud Linux Security Update for libarchive (ALINUX3-SA-2022:0019)
  • 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
  • 378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
  • 501419 Alpine Linux Security Update for libarchive
  • 671424 EulerOS Security Update for libarchive (EulerOS-SA-2022-1353)
  • 671445 EulerOS Security Update for libarchive (EulerOS-SA-2022-1430)
  • 671481 EulerOS Security Update for libarchive (EulerOS-SA-2022-1451)
  • 671500 EulerOS Security Update for libarchive (EulerOS-SA-2022-1490)
  • 671522 EulerOS Security Update for libarchive (EulerOS-SA-2022-1509)
  • 710601 Gentoo Linux libarchive Multiple Vulnerabilities (GLSA 202208-26)
  • 752783 SUSE Enterprise Linux Security Update for libarchive (SUSE-SU-2022:3936-1)
  • 752785 SUSE Enterprise Linux Security Update for libarchive (SUSE-SU-2022:3935-1)
  • 940470 AlmaLinux Security Update for libarchive (ALSA-2022:0892)
  • 960713 Rocky Linux Security Update for libarchive (RLSA-2022:0892)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report