Cyber Resilience

CVE-2021-32825

LowPublic PoC

Published: 16 August 2021

Published
16 August 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 2.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
EPSS Score 0.0050 66.5th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-32825 is a low-severity Relative Path Traversal (CWE-23) vulnerability in Bblfshd Project Bblfshd. Its CVSS base score is 2.7 (Low).

Operationally, ranked in the top 33.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

bblfshd is an open source self-hosted server for source code parsing. In bblfshd before commit 4265465b9b6fb5663c30ee43806126012066aad4 there is a "zipslip" vulnerability. The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary…

more

locations outside the designated target folder. This issue may lead to arbitrary file write (with same permissions as the program running the unpack operation) if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, he may be able to read arbitrary system files the parent process has permissions to read. For more details including a PoC see the referenced GHSL-2020-258.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bblfshd project
bblfshd
≤ 2021-08-11

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References