// For flags

CVE-2021-21272

zip slip in ORAS

Severity Score

7.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider.

ORAS es un software de código abierto que permite una forma de empujar artefactos OCI a registros conformes con OCI. ORAS es tanto un CLI para pruebas iniciales como un módulo Go. En ORAS a partir de la versión 0.4.0 y anterior a la versión 0.9.0, existe una vulnerabilidad de "deslizamiento de zip". La función de soporte de directorios permite que los tarballs gzipped descargados se extraigan automáticamente al directorio especificado por el usuario, donde el tarball puede tener enlaces simbólicos y enlaces duros. Un tarball o tarballs bien elaborados permiten a los proveedores de artefactos maliciosos enlazar, escribir o sobrescribir archivos específicos en el sistema de archivos del host fuera del directorio especificado por el usuario de forma inesperada con los mismos permisos que el usuario que ejecuta `oras pull`. Los usuarios de las versiones afectadas se ven afectados si son usuarios de `oras` CLI que ejecutan `oras pull`, o si son programas Go, que invocan `github.com/deislabs/oras/pkg/content.FileStore`. El problema ha sido corregido en la versión 0.9.0. Para los usuarios de la CLI de `oras`, no hay ninguna solución que no sea la de extraer de un proveedor de artefactos de confianza. Para los usuarios del paquete `oras`, la solución es no utilizar `github.com/deislabs/oras/pkg/content.FileStore`, y utilizar otros almacenes de contenido en su lugar, o tirar de un proveedor de artefactos de confianza

A flaw was found in oras. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`.

Red Hat Advanced Cluster Management for Kubernetes 2.3.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs and security issues. Issues addressed include code execution, cross site scripting, denial of service, integer overflow, and null pointer vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-12-22 CVE Reserved
  • 2021-01-25 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Deislabs
Search vendor "Deislabs"
 Oras
Search vendor "Deislabs" for product "Oras"
 >= 0.4.0 < 0.9.0
Search vendor "Deislabs" for product "Oras" and version " >= 0.4.0 < 0.9.0"
-
Affected