CVE-2024-47877

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Oct 11, 2024 / Updated: 39d ago

010
CVSS 6.9EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A vulnerability in the Extract Go library, which is used to extract archives in zip, tar.gz, or tar.bz2 formats, allows an attacker to create a symlink outside the extraction target directory using a maliciously crafted archive. This vulnerability is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal') and CWE-61 (UNIX Symbolic Link (Symlink) Following).

Impact

This vulnerability could allow an attacker to perform a path traversal attack, potentially gaining access to or modifying files outside the intended extraction directory. This could lead to unauthorized access to sensitive files, data exfiltration, or system compromise. The CVSS v4 base score for this vulnerability is 6.9 (Medium severity), with an attack vector of Network, low attack complexity, and no privileges required. The vulnerability primarily affects the integrity of the vulnerable system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 4.0.0 of the Extract library. Users of the Extractor.FS interface will need to implement new methods that have been added when upgrading to version 4.

Mitigation

1. Update the Extract library to version 4.0.0 or later as soon as possible. 2. If immediate updating is not possible, implement strict input validation and sanitization for any archives processed by the Extract library. 3. Limit the permissions of the process running the extraction to minimize potential impact. 4. Monitor for any suspicious file system activities, especially those involving symlinks. 5. If using the Extractor.FS interface, plan for the implementation of new methods required in the v4 update. 6. Conduct a thorough review of any applications using the vulnerable versions of the Extract library to identify potential exploitation.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5001255)

Oct 11, 2024 at 7:53 AM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 11, 2024 at 3:45 PM
CVE Assignment

NVD published the first details for CVE-2024-47877

Oct 11, 2024 at 5:15 PM
CVSS

A CVSS base score of 6.9 has been assigned.

Oct 11, 2024 at 5:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-47877. See article

Oct 11, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 11, 2024 at 5:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 11.2%)

Oct 12, 2024 at 10:02 AM
CVSS

A CVSS base score of 6.9 has been assigned.

Oct 15, 2024 at 1:02 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (757378)

Nov 5, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Octobercms/october
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

Vendor Advisory

[GHSA-8rm2-93mq-jqhc] Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory.
Please use version 4.0.0 or later github.com/codeclysm/extract/v4. If you're not using the extract.Extractor.FS interface, you will not face any breaking changes and upgrading should be as simple as changing the import to /v4.

News

SUSE SLES15 / openSUSE 15 Security Update : govulncheck-vulndb (SUSE-SU-2024:3911-1)
The remote SUSE host is missing one or more security updates. The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3911-1 advisory.
suse_linux SUSE-SU-2024:3911-1: SUSE SLES15 / openSUSE 15 : Security update for govulncheck-vulndb (Important) (SUSE-SU-2024:3911-1)
Testing Last Updated: 11/6/2024 CVEs: CVE-2024-49757 , CVE-2024-47182 , CVE-2024-8037 , CVE-2024-47827 , CVE-2024-8996 , CVE-2024-9264 , CVE-2024-47003 , CVE-2024-33662 , CVE-2024-47067 , CVE-2024-9180 , CVE-2024-49753 , CVE-2024-8038 , CVE-2024-9407 , CVE-2024-48921 , CVE-2024-47877 , CVE-2024-10214 , CVE-2023-32197 , CVE-2024-47832 , CVE-2024-8901 , CVE-2024-39223 , CVE-2024-9355 , CVE-2024-9313 , CVE-2024-8975 , CVE-2024-9341 , CVE-2024-36814 , CVE-2024-49381 , CVE-2024-22036 , CVE-2024-9486 , CVE-2024-47825 , CVE-2024-7558 , CVE-2023-22644 , CVE-2024-9594 , CVE-2024-47616 , CVE-2024-10241 , CVE-2024-49380 , CVE-2022-45157 , CVE-2024-38365 , CVE-2024-47534 , CVE-2024-48909 , CVE-2024-9312 , CVE-2024-7594 , CVE-2024-22030 , CVE-2024-9675 , CVE-2024-50312
Security: Mehrere Probleme in govulncheck-vulndb (SUSE)
* SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE: 2024:3911-1 important: govulncheck-vulndb Security Advisory Updates
* jsc#PED-11136 Cross-References: * CVE-2022-45157 * CVE-2023-22644
openSUSE: 2024:3911-1: important: govulncheck-vulndb Security Advisory Update
This update for govulncheck-vulndb fixes the following issues: Update to version 0.0.20241030T212825 2024-10-30T21:28:25Z ( jsc#PED-11136 )
See 9 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI