Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc1djQtNXgzOS12d2h4
Zip slip directory exploit in github.com/deislabs/oras
Impact
The directory support (#55) allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.
A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs oras pull.
Precisely, the following users of the affected versions are impacted
orasCLI users who runsoras pull.- Go programs, which invokes
github.com/deislabs/oras/pkg/content.FileStore.
Patches
The problem has been patched by the PR linked with this advisory. Users should upgrade their oras CLI and packages to 0.9.0.
Workarounds
For oras CLI users, there is no workarounds other than pulling from a trusted artifact provider.
For oras package users, the workaround is to not use github.com/deislabs/oras/pkg/content.FileStore, and use other content stores instead, or pull from a trusted artifact provider.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue on the GitHub repo
- Email the list of maintainers
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc1djQtNXgzOS12d2h4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Identifiers: GHSA-g5v4-5x39-vwhx, CVE-2021-21272
References:
- https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx
- https://nvd.nist.gov/vuln/detail/CVE-2021-21272
- https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
- https://github.com/deislabs/oras/releases/tag/v0.9.0
- https://pkg.go.dev/github.com/deislabs/oras/pkg/oras
- https://pkg.go.dev/vuln/GO-2021-0099
- https://github.com/advisories/GHSA-g5v4-5x39-vwhx
Blast Radius: 27.0
Affected Packages
go:github.com/deislabs/oras
Dependent packages: 350Dependent repositories: 3,232
Downloads:
Affected Version Ranges: < 0.9.0
Fixed in: 0.9.0
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1
All unaffected versions: 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.16.0, 1.0.0, 1.0.1, 1.1.0