CVE-2021-31566

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-31566
An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/security/cve/CVE-2021-31566 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2024237 Issue Tracking Patch Third Party Advisory
https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 Patch Third Party Advisory
https://github.com/libarchive/libarchive/issues/1566 Issue Tracking Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:libarchive:libarchive:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:*
OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
History

27 Mar 2024, 16:04

Type Values Removed Values Added
CPE cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
First Time Splunk
Splunk universal Forwarder

03 Dec 2022, 14:16

Type Values Removed Values Added
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html - Mailing List, Third Party Advisory
First Time Debian
Debian debian Linux
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

22 Nov 2022, 20:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html -

26 Aug 2022, 16:09

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
CPE cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
cpe:2.3:a:libarchive:libarchive:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
First Time Fedoraproject
Redhat enterprise Linux Eus
Redhat enterprise Linux For Ibm Z Systems Eus
Redhat codeready Linux Builder
Fedoraproject fedora
Redhat
Redhat enterprise Linux For Ibm Z Systems
Redhat enterprise Linux
Libarchive libarchive
Redhat enterprise Linux Server Aus
Redhat enterprise Linux For Power Little Endian Eus
Redhat enterprise Linux For Power Little Endian
Libarchive
Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions
Redhat enterprise Linux Server Tus
CWE CWE-59
References (MISC) https://github.com/libarchive/libarchive/issues/1566 - (MISC) https://github.com/libarchive/libarchive/issues/1566 - Issue Tracking, Patch, Third Party Advisory
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2024237 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2024237 - Issue Tracking, Patch, Third Party Advisory
References (MISC) https://access.redhat.com/security/cve/CVE-2021-31566 - (MISC) https://access.redhat.com/security/cve/CVE-2021-31566 - Third Party Advisory
References (MISC) https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 - (MISC) https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 - Patch, Third Party Advisory

23 Aug 2022, 17:04

Type Values Removed Values Added
New CVE
Information

Published : 2022-08-23 16:15

Updated : 2024-03-27 16:04

NVD link : CVE-2021-31566

Mitre link : CVE-2021-31566

CVE.ORG link : CVE-2021-31566

JSON object : View

Products Affected

redhat

  • enterprise_linux_for_ibm_z_systems
  • enterprise_linux_for_power_little_endian_eus
  • enterprise_linux_server_tus
  • enterprise_linux_server_aus
  • enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions
  • codeready_linux_builder
  • enterprise_linux
  • enterprise_linux_for_power_little_endian
  • enterprise_linux_for_ibm_z_systems_eus
  • enterprise_linux_eus

libarchive

  • libarchive

splunk

  • universal_forwarder

debian

  • debian_linux

fedoraproject

  • fedora
CWE
CWE-59

Improper Link Resolution Before File Access ('Link Following')