CVE-2021-41072
Published on: 09/13/2021 12:00:00 AM UTC
Last Modified on: 06/28/2022 02:11:00 PM UTC
Certain versions of Debian Linux from Debian contain the following vulnerability:
squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.
- CVE-2021-41072 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 8.1 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | REQUIRED |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | HIGH | HIGH |
CVSS2 Score: 5.8 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
unsquashfs - unvalidated filepaths allow writing outside of destination · Issue #72 · plougher/squashfs-tools · GitHub | github.com text/html |
![]() |
[SECURITY] [DLA 2789-1] squashfs-tools security update | lists.debian.org text/html |
![]() |
Unsquashfs: additional write outside destination directory exploit fix · plougher/[email protected] · GitHub | github.com text/html |
![]() |
Debian -- Security Information -- DSA-4987-1 squashfs-tools | www.debian.org Depreciated Link text/html |
![]() |
Related QID Numbers
- 178823 Debian Security Update for squashfs-tools (DSA 4987-1)
- 178845 Debian Security Update for squashfs-tools (DLA 2789-1)
- 198500 Ubuntu Security Notification for Squashfs-Tools Vulnerability (USN-5078-1)
- 198537 Ubuntu Security Notification for Squashfs-Tools Vulnerability (USN-5078-3)
- 501784 Alpine Linux Security Update for squashfs-tools
- 671158 EulerOS Security Update for squashfs-tools (EulerOS-SA-2021-2814)
- 671188 EulerOS Security Update for squashfs-tools (EulerOS-SA-2021-2936)
- 671216 EulerOS Security Update for squashfs-tools (EulerOS-SA-2022-1019)
- 671226 EulerOS Security Update for squashfs-tools (EulerOS-SA-2022-1039)
- 671232 EulerOS Security Update for squashfs-tools (EulerOS-SA-2022-1189)
- 671285 EulerOS Security Update for squashfs-tools (EulerOS-SA-2022-1216)
- 671297 EulerOS Security Update for squashfs-tools (EulerOS-SA-2022-1235)
- 901101 Common Base Linux Mariner (CBL-Mariner) Security Update for squashfs-tools (7464-1)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Operating System | Debian | Debian Linux | 10.0 | All | All | All |
Operating System | Debian | Debian Linux | 11.0 | All | All | All |
Operating System | Debian | Debian Linux | 9.0 | All | All | All |
Application | Squashfs-tools Project | Squashfs-tools | 4.5 | All | All | All |
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
- cpe:2.3:a:squashfs-tools_project:squashfs-tools:4.5:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2021-41072 : squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vul… twitter.com/i/web/status/1… | 2021-09-14 01:04:39 |