CVE-2021-21272: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS suffers from a zip-slip vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs oras pull.
References
- github.com/advisories/GHSA-g5v4-5x39-vwhx
- github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
- github.com/deislabs/oras/releases/tag/v0.9.0
- github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx
- nvd.nist.gov/vuln/detail/CVE-2021-21272
- pkg.go.dev/github.com/deislabs/oras/pkg/oras
Detect and mitigate CVE-2021-21272 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →