CVE Vulnerabilities

CVE-2021-23521

Improper Link Resolution Before File Access ('Link Following')

Published: Jan 31, 2022 | Modified: Feb 07, 2022
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
4.6 MEDIUM
AV:L/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

This affects the package juce-framework/JUCE before 6.1.5. This vulnerability is triggered when a malicious archive is crafted with an entry containing a symbolic link. When extracted, the symbolic link is followed outside of the target dir allowing writing arbitrary files on the target host. In some cases, this can allow an attacker to execute arbitrary code. The vulnerable code is in the ZipFile::uncompressEntry function in juce_ZipFile.cpp and is executed when the archive is extracted upon calling uncompressTo() on a ZipFile object.

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

Name Vendor Start Version End Version
Juce Juce * 6.1.5 (excluding)
Juce Ubuntu bionic *
Juce Ubuntu devel *
Juce Ubuntu esm-apps/bionic *
Juce Ubuntu esm-apps/focal *
Juce Ubuntu esm-apps/jammy *
Juce Ubuntu esm-apps/noble *
Juce Ubuntu focal *
Juce Ubuntu impish *
Juce Ubuntu jammy *
Juce Ubuntu kinetic *
Juce Ubuntu lunar *
Juce Ubuntu mantic *
Juce Ubuntu noble *
Juce Ubuntu oracular *
Juce Ubuntu trusty *
Juce Ubuntu xenial *

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References