An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.
References
Link | Resource |
---|---|
https://access.redhat.com/security/cve/CVE-2021-23177 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2024245 | Issue Tracking Patch Third Party Advisory |
https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad | Patch Third Party Advisory |
https://github.com/libarchive/libarchive/issues/1565 | Issue Tracking Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html | Mailing List Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
|
History
03 Dec 2022, 14:16
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
First Time |
Debian
Debian debian Linux |
22 Nov 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
26 Aug 2022, 16:38
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
CWE | CWE-59 | |
CPE | cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:* cpe:2.3:a:libarchive:libarchive:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:* |
|
First Time |
Fedoraproject
Redhat enterprise Linux Eus Redhat enterprise Linux For Ibm Z Systems Eus Redhat codeready Linux Builder Fedoraproject fedora Redhat Redhat enterprise Linux For Ibm Z Systems Redhat enterprise Linux Libarchive libarchive Redhat enterprise Linux Server Aus Redhat enterprise Linux For Power Little Endian Eus Redhat enterprise Linux For Power Little Endian Libarchive Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Redhat enterprise Linux Server Tus |
|
References | (MISC) https://access.redhat.com/security/cve/CVE-2021-23177 - Third Party Advisory | |
References | (MISC) https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad - Patch, Third Party Advisory | |
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2024245 - Issue Tracking, Patch, Third Party Advisory | |
References | (MISC) https://github.com/libarchive/libarchive/issues/1565 - Issue Tracking, Patch, Third Party Advisory |
23 Aug 2022, 17:04
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-08-23 16:15
Updated : 2023-12-10 14:35
NVD link : CVE-2021-23177
Mitre link : CVE-2021-23177
CVE.ORG link : CVE-2021-23177
JSON object : View
Products Affected
redhat
- enterprise_linux
- enterprise_linux_for_power_little_endian
- enterprise_linux_for_ibm_z_systems
- enterprise_linux_server_tus
- enterprise_linux_for_ibm_z_systems_eus
- codeready_linux_builder
- enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions
- enterprise_linux_server_aus
- enterprise_linux_eus
- enterprise_linux_for_power_little_endian_eus
fedoraproject
- fedora
libarchive
- libarchive
debian
- debian_linux
CWE
CWE-59
Improper Link Resolution Before File Access ('Link Following')