Cyber Resilience

CVE-2021-40153

HighPublic PoC

Published: 27 August 2021

Published
27 August 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0054 68.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-40153 is a high-severity Path Traversal (CWE-22) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 31.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and…

more

thus allows writing to locations outside of the destination.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

squashfs-tools project
squashfs-tools
4.5
fedoraproject
fedora
33, 34
debian
debian linux
10.0, 9.0
redhat
enterprise linux
7.0, 8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References