CVE-2021-23177

CWE-598 documents7 sources

Severity

7.8HIGH

EPSS

0.0%

top 87.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libarchive Libarchive Debian Debian Linux Fedoraproject Fedora +9 more

Timeline

PublishedAug 23

Latest updateAug 24

Description

An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDlibarchive/libarchive< 3.5.2

▶Debianlibarchive< 3.4.3-2+deb11u1+3

▶Ubuntulibarchive< 3.4.0-2ubuntu1.1

▶CVEListV5libarchiveFixed in libarchive 3.5.2

Also affects: Debian Linux 10.0, Fedora 35, Enterprise Linux 8.0, 8.6

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-fq9q-7wp8-gpr7: An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link↗2022-08-24

▶

CVEList

CVE-2021-23177: An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link↗2022-08-23

▶

OSV

CVE-2021-23177: An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link↗2022-08-23

▶

OSV

libarchive vulnerabilities↗2022-02-17

▶

📋Vendor Advisories

Ubuntu

libarchive vulnerabilities↗2022-02-17

▶

Red Hat

libarchive: extracting a symlink with ACLs modifies ACLs of target↗2021-08-21

▶

Debian

CVE-2021-23177: libarchive - An improper link resolution flaw while extracting an archive can lead to changin...↗2021

▶