CVE-2021-39208
Extraction outside the destination directory vulnerability in SharpCompress (NuGet)
What is CVE-2021-39208 About?
SharpCompress can be exploited for directory traversal if 'ExtractFullPath' is true, allowing files to be created outside the intended destination directory. This occurs due to insufficient validation of the destination directory path, making it possible for attackers to write files to unintended locations. While the impact is limited by filename constraints, it still poses a risk depending on the application's use case.
Affected Software
Technical Details
The vulnerability in SharpCompress arises when the ExtractFullPath option is set to true, allowing the recreation of absolute directory hierarchies. The safeguard against extraction outside the destination directory checks if destinationFileName starts with fullDestinationDirectoryPath. However, this check is flawed because fullDestinationDirectoryPath is not guaranteed to be slash-terminated (e.g., /home/user/dir). An attacker can craft an archive containing a file path like dir.sh if the destinationDirectory is /home/user/dir. During extraction, the destinationFileName check /home/user/dir.sh against fullDestinationDirectoryPath (/home/user/dir) passes, leading to the creation of the file /home/user/dir.sh one level up, in /home/user/. This allows for arbitrary file creation in a directory adjacent to the intended target, rather than strictly within it.
What is the Impact of CVE-2021-39208?
Successful exploitation may allow attackers to create files in unintended directories, possibly leading to denial of service, arbitrary code execution, or privilege escalation, depending on the file's content and location.
What is the Exploitability of CVE-2021-39208?
Exploiting this directory traversal vulnerability requires an attacker to provide a malicious archive that is then processed by SharpCompress with ExtractFullPath enabled. The attack is typically local, involving a compromised archive, but could be remote if the application processes untrusted archives from external sources. No authentication is needed to trigger the vulnerability once the malicious archive is being processed. The primary prerequisites are that the application uses SharpCompress to extract archives and has ExtractFullPath set to true. The constraints include limitations on file names relative to the destination directory, which might restrict the exact location of arbitrary file creation. Risk factors include applications that accept and extract untrusted archives.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39208?
Available Upgrade Options
- SharpCompress
- <0.29 → Upgrade to 0.29
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/adamhathcock/sharpcompress/pull/614
- https://nvd.nist.gov/vuln/detail/CVE-2021-39208
- https://github.com/adamhathcock/sharpcompress/releases/tag/0.29.0
- https://github.com/adamhathcock/sharpcompress/releases/tag/0.29.0
- https://github.com/adamhathcock/sharpcompress/security/advisories/GHSA-jp7f-grcv-6mjf
- https://osv.dev/vulnerability/GHSA-jp7f-grcv-6mjf
- https://github.com/adamhathcock/sharpcompress/commit/ea5c8dc06314c7a5068e7901c51a625224d2b288
- https://github.com/adamhathcock/sharpcompress/pull/614
- https://github.com/adamhathcock/sharpcompress
- https://github.com/adamhathcock/sharpcompress/security/advisories/GHSA-jp7f-grcv-6mjf
What are Similar Vulnerabilities to CVE-2021-39208?
Similar Vulnerabilities: CVE-2023-45136 , CVE-2021-27025 , CVE-2020-28267 , CVE-2018-1002205 , CVE-2018-12020
