GHSA-vp2x-3mc3-3cj4

Suggest an improvement
Source
https://github.com/advisories/GHSA-vp2x-3mc3-3cj4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-vp2x-3mc3-3cj4/GHSA-vp2x-3mc3-3cj4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vp2x-3mc3-3cj4
Aliases
Published
2023-01-31T12:30:24Z
Modified
2024-11-18T23:22:44.551816Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Path traversal in ubi-reader
Details

ubireaderextractfiles is vulnerable to path traversal when run against specifically crafted UBIFS files, allowing the attacker to overwrite files outside of the extraction directory (provided the process has write access to that file or directory). This is due to the fact that a node name (dentnode.name) is considered trusted and joined to the extraction directory path during processing, then the node content is written to that joined path. By crafting a malicious UBIFS file with node names holding path traversal payloads (e.g. ../../tmp/outside.txt), it's possible to force ubireader to write outside of the extraction directory. This issue affects ubi-reader before 0.8.5.

Database specific 
{
    "nvd_published_at": "2023-01-31T10:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-31T19:01:51Z"
}
References

Affected packages

PyPI / ubi-reader

Package

Name
ubi-reader
View open source insights on deps.dev
Purl
pkg:pypi/ubi-reader

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.8.5

Affected versions

0.*

0.5.0
0.6.0
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.2
0.8.0
0.8.2