WriteEntryToDirectory used for an archive extraction is vulnerable to partial path traversal.
CVE-2021-39208

4.3MEDIUM

Key Information:

Vendor

Adamhathcock

Status
Sharpcompress
Vendor
CVE Published:
16 September 2021

What is CVE-2021-39208?

SharpCompress is a fully managed C# library to deal with many compression types and formats. Versions prior to 0.29.0 are vulnerable to partial path traversal. SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent extraction outside the destination directory the destinationFileName path is verified to begin with fullDestinationDirectoryPath. However, prior to version 0.29.0, it is not enforced that fullDestinationDirectoryPath ends with slash. If the destinationDirectory is not slash terminated like /home/user/dir it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. /home/user/dir.sh. Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case. This issue is fixed in SharpCompress version 0.29.0.

Affected Version(s)

sharpcompress < 0.29.0

References

https://github.com/adamhathcock/sharpcompress/security/ad...
x_refsource_CONFIRM
https://github.com/adamhathcock/sharpcompress/pull/614
x_refsource_MISC
https://github.com/adamhathcock/sharpcompress/releases/ta...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.