CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
35.6%
The directory support (#55) allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.
A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs oras pull
.
Precisely, the following users of the affected versions are impacted
oras
CLI users who runs oras pull
.github.com/deislabs/oras/pkg/content.FileStore
.The problem has been patched by the PR linked with this advisory. Users should upgrade their oras
CLI and packages to 0.9.0
.
For oras
CLI users, there is no workarounds other than pulling from a trusted artifact provider.
For oras
package users, the workaround is to not use github.com/deislabs/oras/pkg/content.FileStore
, and use other content stores instead, or pull from a trusted artifact provider.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-g5v4-5x39-vwhx
github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
github.com/deislabs/oras/releases/tag/v0.9.0
github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx
nvd.nist.gov/vuln/detail/CVE-2021-21272
pkg.go.dev/github.com/deislabs/oras/pkg/oras
pkg.go.dev/vuln/GO-2021-0099
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
35.6%