Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-23177
HistoryDec 24, 2021 - 12:00 a.m.

CVE-2021-23177

2021-12-2400:00:00
ubuntu.com
ubuntu.com
32
improper link resolution
archive extraction
access control list
acl
malicious archive
local attacker
privilege escalation

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

25.2%

An improper link resolution flaw while extracting an archive can lead to
changing the access control list (ACL) of the target of the link. An
attacker may provide a malicious archive to a victim user, who would
trigger this flaw when trying to extract the archive. A local attacker may
use this flaw to change the ACL of a file on the system and gain more
privileges.

Bugs

Notes

Author Note
mdeslaur intrusive backport to bionic

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

25.2%