#VU70623 Link following in Oras - CVE-2021-21272

Cybersecurity Help s.r.o.

Published: 2023-01-03

Vulnerability identifier: #VU70623

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-21272

CWE-ID: CWE-59

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oras

Vendor: Deislabs

Description

The vulnerability allows a remote attacker to overwrite files on the system.

The vulnerability exists due to insecure hardlink following when extracting files from an archive. A remote attacker can trick the victim into downloading a gzipped tarballs that will be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oras: 0.4.0 - 0.8.1

External links
https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
https://github.com/deislabs/oras/releases/tag/v0.9.0
https://pkg.go.dev/github.com/deislabs/oras/pkg/oras
https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for helm

Insecure archive handling in oras