#VU70623 Link following in Oras


Published: 2023-01-03

Vulnerability identifier: #VU70623

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21272

CWE-ID: CWE-59

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oras
/

Vendor: Deislabs

Description

The vulnerability allows a remote attacker to overwrite files on the system.

The vulnerability exists due to insecure hardlink following when extracting files from an archive. A remote attacker can trick the victim into downloading a gzipped tarballs that will be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oras: 0.4.0 - 0.8.1

External links
http://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
http://github.com/deislabs/oras/releases/tag/v0.9.0
http://pkg.go.dev/github.com/deislabs/oras/pkg/oras
http://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for helm
Insecure archive handling in oras