Miggo Logo

CVE-2021-32760: Archive package allows chmod of file outside of unpack target directory

5

CVSS Score
3.1

Basic Information

EPSS Score
0.35127%
Published
7/26/2021
Updated
1/31/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containerd/containerdgo< 1.4.81.4.8
github.com/containerd/containerdgo>= 1.5.0, < 1.5.41.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how symlink handling was implemented in handleLChmod. The pre-patch code used os.Lstat(hdr.Linkname) to check if the target was a symlink before applying chmod. This allowed attackers to reference host files via symlinks in crafted images. The patch changes this to os.Lstat(path), ensuring permissions are only modified on the extracted symlink file itself, not its external target. The added test case 'HardlinkSymlinkChmod' in tar_test.go directly validates this fix by ensuring permissions on a file referenced via symlink outside the extraction root remain unchanged.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t * *u* w*s *oun* in *ont*in*r* w**r* pullin* *n* *xtr**tin* * sp**i*lly-*r**t** *ont*in*r im*** **n r*sult in Unix *il* p*rmission ***n**s *or *xistin* *il*s in t** *ost’s *il*syst*m. ***n**s to *il* p*rmissions **n **ny ****ss to t** *xp*

Reasoning

T** vuln*r**ility st*ms *rom *ow symlink **n*lin* w*s impl*m*nt** in **n*l*L**mo*. T** pr*-p*t** *o** us** `os.Lst*t(**r.Linkn*m*)` to ****k i* t** t*r**t w*s * symlink ***or* *pplyin* `**mo*`. T*is *llow** *tt**k*rs to r***r*n** *ost *il*s vi* symli