CVE-2021-32842
Arbitrary File Creation vulnerability in SharpZipLib (NuGet)
What is CVE-2021-32842 About?
This vulnerability in SharpZipLib allows for arbitrary file creation by manipulating the `_baseDirectory` during archive extraction. Attackers can create files one level up from the intended directory. The impact is limited to arbitrary file creation and depends on the specific use case, making it moderately difficult to exploit effectively.
Affected Software
Technical Details
The vulnerability stems from improper validation of the _baseDirectory in SharpZipLib during archive processing. A check is in place to contain extracted files within _baseDirectory, but if this directory path is not slash-terminated (e.g., /home/user/dir), a bypass is possible. This allows an attacker to craft an archive entry that, when extracted, creates a file with a name beginning as the _baseDirectory but residing in its parent directory, such as /home/user/dir.sh. This effectively allows for directory traversal to one level above the specified base directory through an incomplete path validation logic.
What is the Impact of CVE-2021-32842?
Successful exploitation may allow attackers to create files in directories that are one level higher than the intended extraction location. This could lead to data integrity issues, overwriting legitimate files, or potentially enabling further attacks like script execution if a manipulated file is placed in a critical system path.
What is the Exploitability of CVE-2021-32842?
Exploitation of this arbitrary file creation vulnerability is of moderate complexity, relying on the _baseDirectory not being slash-terminated. No specific authentication is required if the application processes untrusted archive input. Privilege requirements are bounded by the permissions of the application extracting the archive. This is generally a remote exploitation scenario where an attacker supplies a specially crafted archive. The attacker's control over the file path is restricted to creating files with names starting with the _baseDirectory but in the parent directory, thus limiting the direct impact without further vulnerabilities. Applications that automatically process or unpack untrusted archives are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32842?
Available Upgrade Options
- SharpZipLib
- >1.0.0, <1.3.3 → Upgrade to 1.3.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-mm6g-mmq6-53ff
- https://github.com/icsharpcode/SharpZipLib
- https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/
- https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
- https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib
- https://nvd.nist.gov/vuln/detail/CVE-2021-32842
- https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
What are Similar Vulnerabilities to CVE-2021-32842?
Similar Vulnerabilities: CVE-2001-0968 , CVE-2019-10023 , CVE-2019-1000004 , CVE-2018-1000096 , CVE-2018-12023
