CVE-2021-32841
Arbitrary File Creation vulnerability in SharpZipLib (NuGet)
What is CVE-2021-32841 About?
This vulnerability in SharpZipLib allows for arbitrary file creation due to improper handling of destination directory paths. Attackers can create files with specific names outside the intended directory, though the overall impact is limited and use-case dependent. Exploitation is moderately difficult, requiring specific conditions regarding the target directory path.
Affected Software
Technical Details
The vulnerability arises when SharpZipLib processes archive extractions. A check is implemented to ensure extracted files are within the specified destination directory (destDir). However, if destDir is not terminated with a slash (e.g., /home/user/dir instead of /home/user/dir/), the check can be bypassed. This allows for the creation of files with names that begin with the destination directory, such as /home/user/dir.sh. The file system treats dir.sh as a separate file under /home/user/, effectively escaping the intended directory confinement by leveraging an incomplete path validation mechanism.
What is the Impact of CVE-2021-32841?
Successful exploitation may allow attackers to create arbitrary files in unintended locations on the file system. This could lead to a denial of service, data corruption, or, in specific contexts, the execution of malicious scripts if the created file is placed in an executable path and subsequently triggered.
What is the Exploitability of CVE-2021-32841?
Exploitation of this vulnerability is of moderate complexity, primarily due to the specific conditions required for the destDir path. There are no explicit authentication requirements; if an application uses SharpZipLib to process untrusted archive files, the vulnerability can be triggered. Privilege requirements are limited to the permissions of the process operating on the archive. This is a remote exploitation scenario if the attacker can provide a malicious archive file to a vulnerable application. The primary constraint is that the created file's name must start with the non-slash-terminated destDir, which limits total control over the file's final name. Risk factors that increase exploitability include applications directly exposing archive extraction functionality to untrusted users or handling archives from untrusted sources without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32841?
About the Fix from Resolved Security
This patch strengthens the directory traversal check when extracting tar files by ensuring that the directory component of the destination file path must start with the intended destination directory, rather than only relying on the full file path. This prevents attackers from exploiting crafted tar entries with sequences like "../" to escape the target extraction directory, thus addressing the path traversal vulnerability tracked as CVE-2021-32841.
Available Upgrade Options
- SharpZipLib
- >1.3.0, <1.3.3 → Upgrade to 1.3.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/icsharpcode/SharpZipLib/commit/5c3b293de5d65b108e7f2cd0ea8f81c1b8273f78
- https://github.com/icsharpcode/SharpZipLib
- https://osv.dev/vulnerability/GHSA-2x7h-96h5-rq84
- https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/
- https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
- https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
- https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib
- https://github.com/icsharpcode/SharpZipLib/commit/5c3b293de5d65b108e7f2cd0ea8f81c1b8273f78
- https://nvd.nist.gov/vuln/detail/CVE-2021-32841
What are Similar Vulnerabilities to CVE-2021-32841?
Similar Vulnerabilities: CVE-2007-4560 , CVE-2019-10023 , CVE-2019-1000004 , CVE-2018-1000096 , CVE-2018-12023
