CVE-2021-3139

2021-01-1316:15:14

Debian Security Bug Tracker

security-tracker.debian.org

open-iscsi

tcmu-runner

directory traversal

remote attack

xcopy request

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.004

Percentile

72.9%

JSON

In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.

OSVersionArchitecturePackageVersionFilename
Debian12alltcmu< 1.5.2-6tcmu_1.5.2-6_all.deb
Debian11alltcmu< 1.5.2-6tcmu_1.5.2-6_all.deb
Debian999alltcmu< 1.5.2-6tcmu_1.5.2-6_all.deb
Debian13alltcmu< 1.5.2-6tcmu_1.5.2-6_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	tcmu	< 1.5.2-6	tcmu_1.5.2-6_all.deb
Debian	11	all	tcmu	< 1.5.2-6	tcmu_1.5.2-6_all.deb
Debian	999	all	tcmu	< 1.5.2-6	tcmu_1.5.2-6_all.deb
Debian	13	all	tcmu	< 1.5.2-6	tcmu_1.5.2-6_all.deb