Main Vulnerability Database SB2021012530

SB2021012530 - Insecure archive handling in oras

Published: January 25, 2021 Updated: January 3, 2023

Security Bulletin ID SB2021012530

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Link following (CVE-ID: CVE-2021-21272)

The vulnerability allows a remote attacker to overwrite files on the system.

The vulnerability exists due to insecure hardlink following when extracting files from an archive. A remote attacker can trick the victim into downloading a gzipped tarballs that will be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.

Remediation

Install update from vendor's website.

References

https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
https://github.com/deislabs/oras/releases/tag/v0.9.0
https://pkg.go.dev/github.com/deislabs/oras/pkg/oras
https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx