Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-3139
HistoryJan 13, 2021 - 12:00 a.m.

CVE-2021-3139

2021-01-1300:00:00
ubuntu.com
ubuntu.com
23

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

0.004 Low

EPSS

Percentile

72.9%

In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2,
xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer
restrictions, allowing remote attackers to read or write files via
directory traversal in an XCOPY request. For example, an attack can occur
over a network if the attacker has access to one iSCSI LUN. NOTE: relative
to CVE-2020-28374, this is a similar mistake in a different algorithm.

Notes

Author Note
alexmurray Related to CVE-2020-28374
OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchtcmu< 1.5.2-5ubuntu0.20.04.1UNKNOWN
ubuntu20.10noarchtcmu< 1.5.2-5ubuntu0.20.10.1UNKNOWN
ubuntu22.04noarchtcmu< anyUNKNOWN
ubuntu24.04noarchtcmu< anyUNKNOWN

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

0.004 Low

EPSS

Percentile

72.9%