CVE-2021-41072

squashfs-tools: possible Directory Traversal via symbolic link

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

Una función squashfs_opendir en el archivo unsquash-2.c en Squashfs-Tools versión 4.5 permite un Salto de Directorio, una vulnerabilidad diferente a CVE-2021-40153. Un sistema de archivos squashfs que ha sido diseñado para incluir un enlace simbólico y luego contenidos bajo el mismo nombre de archivo en un sistema de archivos puede causar que unsquashfs primero cree el enlace simbólico apuntando fuera del directorio esperado, y luego la operación de escritura subsiguiente causará que el proceso unsquashfs escriba mediante el enlace simbólico en otra parte del sistema de archivos

A directory traversal flaw was found in squashfs-tools. During extraction, a file can escape the destination directory by using a symbolic link, and a regular file with an identical name. This flaw allows a specially crafted squashfs archive to install or overwrite files outside of the destination directory.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-14 CVE Reserved
2021-09-14 CVE Published
2024-07-23 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59: Improper Link Resolution Before File Access ('Link Following')

CAPEC

References (7)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html	Mailing List

URL	Date	SRC
https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405	2024-08-04

URL	Date	SRC
https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd	2023-05-30

URL	Date	SRC
https://security.gentoo.org/glsa/202305-29	2023-05-30
https://www.debian.org/security/2021/dsa-4987	2023-05-30
https://access.redhat.com/security/cve/CVE-2021-41072	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2004957	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Squashfs-tools Project Search vendor "Squashfs-tools Project"		Squashfs-tools Search vendor "Squashfs-tools Project" for product "Squashfs-tools"				4.5 Search vendor "Squashfs-tools Project" for product "Squashfs-tools" and version "4.5"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected