CVE-2021-41072
squashfs-tools - security update
8.1
HIGH
CVSS 3.1
EPSS 3.6%
Description
squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.
How to fix CVE-2021-41072
To remediate CVE-2021-41072, upgrade the affected package to a fixed version below.
- —upgrade to 4.5-r1 or later
- —upgrade to 1:4.4-2+deb11u2 or later
- —upgrade to 1:4.3-3+deb9u3 or later
- —upgrade to 1:4.3-12+deb10u2 or later
Is CVE-2021-41072 being exploited?
Low — EPSS is 3.6%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 4.5-r1
- from 0, < 1:4.4-2+deb11u2
- from 0, < 1:4.3-3+deb9u3
- from 0, < 1:4.3-12+deb10u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |