Home > Vulnerability Database > CVE-2021-32610

Mend.io Vulnerability Database

CVE-2021-32610

Good to know:

Date: July 27, 2021

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

Language: PHP

Severity Score

7.1

Related Resources (17)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CAODVMHGL5MHQWQAQTXQ7G7OE3VQZ7LS

Url: https://github.com/pear/Archive_Tar/commit/7789ebb2f34f9e4adb3a4152ad0d1548930a9755

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G5LTY6COQYNMMHQJ3QIOJHEWCKD4XDFH/

Url: https://github.com/pear/Archive_Tar

Url: https://www.drupal.org/sa-core-2021-004

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAODVMHGL5MHQWQAQTXQ7G7OE3VQZ7LS/

Url: https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-32610

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

Url: https://lists.debian.org/debian-lts-announce/2021/07/msg00023.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5LTY6COQYNMMHQJ3QIOJHEWCKD4XDFH

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

Url: https://github.com/pear/Archive_Tar/releases/tag/1.4.14

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

Url: https://access.redhat.com/security/cve/CVE-2021-32610

Url: https://www.mend.io/vulnerability-database/CVE-2021-32610

Severity Score

7.1

Weakness Type (CWE)

Improper Link Resolution Before File Access ('Link Following')

CWE-59

Top Fix

Upgrade Version

Upgrade to version vufind/vufind - dev-autocomplete-v2-1-10;vufind/vufind - dev-demiankatz-patch-1;vufind/vufind - v1.20.0;vufind/vufind - v2.0beta;vufind/vufind - dev-VUFIND-1342;vufind/vufind - dev-legacy/bundled-dependencies;vufind/vufind - dev-release-3.0;vufind/vufind - v1.28.0;vufind/vufind - v1.23.0;imscp/monsta-ftp - no_fix;acquia/acquia_cms - 2020-11-05;acquia/acquia_cms - 2020-10-11;acquia/acquia_cms - 2020-11-17;imscp/roundcube - 1.2.x-dev;imscp/roundcube - dev-master;imscp/roundcube - 1.0.0;kitware/cdash - v2.6.0;kitware/cdash - dev-ubuntu_base_image;kitware/cdash - trilinos-release-2018-08;kitware/cdash - dev-prevent_project_admin_registration;matomo/matomo - 2.0.4-b4;matomo/matomo - 2.0.4-b10;matomo/matomo - dev-dependabot-github_actions-ncipollo-release-action-1.14.0;matomo/matomo - dev-2.x-dev;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/composer/ca-bundle-1.5.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/floatthead-2.2.3;yetiforce/yetiforce-crm - dev-dependabot/add-v2-config-file;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/chartjs-plugin-datalabels-2.1.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/gridstack-3.2.0;yetiforce/yetiforce-crm - dev-depfu/update/composer/zbateson/mail-mime-parser-2.4.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/gridstack-3.0.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/abraham/twitteroauth-3.1.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/zbateson/mail-mime-parser-2.3.0;ec-cube/ec-cube - dev-dependabot/composer/twig/twig-2.14.11;native-network/example-open-social-composer - no_fix;native-network/example-open-social-composer - dev-dependabot/npm_and_yarn/web/libraries/diff/ini-1.3.7;phamvanhieu/laravel_5x - no_fix;bpez/infuse - v5.2.16;bpez/infuse - 1.0.0;bpez/infuse - no_fix;whitespace-se/matomo-core - 3.12.0;whitespace-se/matomo-core - 3.9.1;whitespace-se/matomo-core - 4.2.x-dev;acosf/archersys - 1.0;acosf/archersys - 3.5;acosf/archersys - 2.0.0;acosf/archersys - 4.0.0;acosf/archersys - v2.5beta;archersys/archersyscloud - no_fix;birlasoft/drupal-cms - no_fix;xrow/xrowpiwik-ls - 1.3.0;redactivemedia/redactive-drupal8-platform - 8.8.0;piwik/piwik - dev-dependabot-github_actions-ncipollo-release-action-1.14.0;piwik/piwik - 2.0.4-b10;piwik/piwik - 2.0.4-b4;piwik/piwik - dev-2.x-dev;pear/archive_tar - 1.4.13;pear/archive_tar - 1.4.4;my-oos/my-oos - v2.3.9;my-oos/my-oos - v2.0.113;nrel/nrel_bootstrap - dev-d10;ravaljigesh/prestolara - no_fix;studio509/project-default - no_fix;pixelstudio/updraftplus - no_fix;benborla/xampp - no_fix;unimatrix/backend - 1.0.3;ec-cube2/ec-cube2 - 2.13.x-dev;ec-cube2/ec-cube2 - 2.17.0;adaclare/server-manager - 14;qranio/azure-sdk-pear-deps - no_fix;mpl/matomo - 2.1.0;friendica/friendica - 3.6;x-cart-proj/x-cart-proj - no_fix

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	3.6
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-32610

Good to know:

Date: July 27, 2021

Language: PHP

Severity Score

Related Resources (17)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?