AZL-7463

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-7463.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-7463

Upstream

CVE-2021-40153

Published

2021-08-27T15:15:09Z

Modified

2026-04-21T04:38:45.592740Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

CVE-2021-40153 affecting package squashfs-tools for versions less than 4.5.1-1

Details

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-40153

Affected packages

Azure Linux:2 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:rpm/azure-linux/squashfs-tools

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-7463.json"