CVE-2021-21272 : Vulnerability Insights and Analysis

This article provides an overview of CVE-2021-21272, a "zip-slip" vulnerability found in ORAS software versions between 0.4.0 and 0.9.0.

Understanding CVE-2021-21272

This section delves into the details of the vulnerability and its impact.

What is CVE-2021-21272?

CVE-2021-21272 affects ORAS, enabling malicious artifact providers to write, link, or overwrite files outside the intended directory when pulling gzipped tarballs.

The Impact of CVE-2021-21272

Users running

oras pull

or Go programs invoking

github.com/deislabs/oras/pkg/content.FileStore

are vulnerable, with a base severity of 'HIGH' (CVSS score: 7.7), allowing for unexpected file manipulations.

Technical Details of CVE-2021-21272

This section covers the technical aspects of the vulnerability.

Vulnerability Description

The vulnerability arises from improper directory extraction, enabling attackers to access and alter files beyond the intended directory.

Affected Systems and Versions

ORAS versions between 0.4.0 and 0.9.0 are impacted.

Exploitation Mechanism

Attackers exploit the directory support feature to manipulate files on the host filesystem.

Mitigation and Prevention

Discover the steps to mitigate and prevent exploitation of this vulnerability.

Immediate Steps to Take

Users are advised to upgrade to version 0.9.0 and pull from trusted artifact providers to prevent attacks.

Long-Term Security Practices

Avoid using

github.com/deislabs/oras/pkg/content.FileStore

and opt for alternative content stores for increased security.

Patching and Updates

Ensure all systems are updated to ORAS version 0.9.0 to safeguard against the 'zip-slip' vulnerability.