CVE-2021-21272

{"id": "CVE-2021-21272", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2021-01-25T19:15:12.847", "references": [{"url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/deislabs/oras/releases/tag/v0.9.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://pkg.go.dev/github.com/deislabs/oras/pkg/oras", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-59"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a \"zip-slip\" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider."}, {"lang": "es", "value": "ORAS es un software de c\u00f3digo abierto que permite una forma de empujar artefactos OCI a registros conformes con OCI. ORAS es tanto un CLI para pruebas iniciales como un m\u00f3dulo Go. En ORAS a partir de la versi\u00f3n 0.4.0 y anterior a la versi\u00f3n 0.9.0, existe una vulnerabilidad de \"deslizamiento de zip\". La funci\u00f3n de soporte de directorios permite que los tarballs gzipped descargados se extraigan autom\u00e1ticamente al directorio especificado por el usuario, donde el tarball puede tener enlaces simb\u00f3licos y enlaces duros. Un tarball o tarballs bien elaborados permiten a los proveedores de artefactos maliciosos enlazar, escribir o sobrescribir archivos espec\u00edficos en el sistema de archivos del host fuera del directorio especificado por el usuario de forma inesperada con los mismos permisos que el usuario que ejecuta `oras pull`. Los usuarios de las versiones afectadas se ven afectados si son usuarios de `oras` CLI que ejecutan `oras pull`, o si son programas Go, que invocan `github.com/deislabs/oras/pkg/content.FileStore`. El problema ha sido corregido en la versi\u00f3n 0.9.0. Para los usuarios de la CLI de `oras`, no hay ninguna soluci\u00f3n que no sea la de extraer de un proveedor de artefactos de confianza. Para los usuarios del paquete `oras`, la soluci\u00f3n es no utilizar `github.com/deislabs/oras/pkg/content.FileStore`, y utilizar otros almacenes de contenido en su lugar, o tirar de un proveedor de artefactos de confianza"}], "lastModified": "2024-02-21T20:39:19.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:deislabs:oras:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93510360-3674-4A55-9BB0-5FA39B53B970", "versionEndExcluding": "0.9.0", "versionStartIncluding": "0.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}