CVE-2021-41072

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41072

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41072.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-41072

Related

Published

2021-09-14T01:15:07Z

Modified

2024-12-05T15:34:31.426598Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

References

Affected packages

Alpine:v3.14 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:apk/alpine/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5-r1

Affected versions

4.*

4.0-r0

4.0-r1

4.1-r0

4.2-r0

4.2-r1

4.2-r2

4.3-r0

4.3-r1

4.3-r2

4.3-r3

4.3-r4

4.3-r5

4.3-r6

4.4-r0

4.4-r1

4.5-r0

Alpine:v3.15 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:apk/alpine/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5-r1

Affected versions

4.*

4.0-r0

4.0-r1

4.1-r0

4.2-r0

4.2-r1

4.2-r2

4.3-r0

4.3-r1

4.3-r2

4.3-r3

4.3-r4

4.3-r5

4.3-r6

4.4-r0

4.4-r1

4.5-r0

Alpine:v3.16 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:apk/alpine/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5-r1

Affected versions

4.*

4.0-r0

4.0-r1

4.1-r0

4.2-r0

4.2-r1

4.2-r2

4.3-r0

4.3-r1

4.3-r2

4.3-r3

4.3-r4

4.3-r5

4.3-r6

4.4-r0

4.4-r1

4.5-r0

Alpine:v3.17 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:apk/alpine/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5-r1

Affected versions

4.*

4.0-r0

4.0-r1

4.1-r0

4.2-r0

4.2-r1

4.2-r2

4.3-r0

4.3-r1

4.3-r2

4.3-r3

4.3-r4

4.3-r5

4.3-r6

4.4-r0

4.4-r1

4.5-r0

Alpine:v3.18 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:apk/alpine/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5-r1

Affected versions

4.*

4.0-r0

4.0-r1

4.1-r0

4.2-r0

4.2-r1

4.2-r2

4.3-r0

4.3-r1

4.3-r2

4.3-r3

4.3-r4

4.3-r5

4.3-r6

4.4-r0

4.4-r1

4.5-r0

Alpine:v3.19 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:apk/alpine/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5-r1

Affected versions

4.*

4.0-r0

4.0-r1

4.1-r0

4.2-r0

4.2-r1

4.2-r2

4.3-r0

4.3-r1

4.3-r2

4.3-r3

4.3-r4

4.3-r5

4.3-r6

4.4-r0

4.4-r1

4.5-r0

Alpine:v3.20 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:apk/alpine/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5-r1

Affected versions

4.*

4.0-r0

4.0-r1

4.1-r0

4.2-r0

4.2-r1

4.2-r2

4.3-r0

4.3-r1

4.3-r2

4.3-r3

4.3-r4

4.3-r5

4.3-r6

4.4-r0

4.4-r1

4.5-r0

Alpine:v3.21 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:apk/alpine/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5-r1

Affected versions

4.*

4.0-r0

4.0-r1

4.1-r0

4.2-r0

4.2-r1

4.2-r2

4.3-r0

4.3-r1

4.3-r2

4.3-r3

4.3-r4

4.3-r5

4.3-r6

4.4-r0

4.4-r1

4.5-r0

Debian:11 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:deb/debian/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:4.4-2+deb11u2

Affected versions

1:4.*

1:4.4-2

1:4.4-2+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:deb/debian/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:4.5-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / squashfs-tools

Package

Name: squashfs-tools
Purl: pkg:deb/debian/squashfs-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:4.5-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/plougher/squashfs-tools

Affected ranges

Type: GIT
Repo: https://github.com/plougher/squashfs-tools
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e0485802ec72996c20026da320650d8362f555bd

Affected versions

3.*

3.1

3.2

3.2-r2

4.*

4.4

4.4-git.1

4.5