CVE-2021-23521

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-23521

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23521.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-23521

Related

SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388608
UBUNTU-CVE-2021-23521

Published

2022-01-31T11:15:07Z

Modified

2025-02-15T04:50:12.565813Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

This affects the package juce-framework/JUCE before 6.1.5. This vulnerability is triggered when a malicious archive is crafted with an entry containing a symbolic link. When extracted, the symbolic link is followed outside of the target dir allowing writing arbitrary files on the target host. In some cases, this can allow an attacker to execute arbitrary code. The vulnerable code is in the ZipFile::uncompressEntry function in juce_ZipFile.cpp and is executed when the archive is extracted upon calling uncompressTo() on a ZipFile object.

References

Affected packages

Debian:11 / juce

Package

Name: juce
Purl: pkg:deb/debian/juce?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.4.7~ds0-2

6.*

6.0.5~ds0-1~exp1

6.0.7~ds0-1~exp1

6.1.0~ds0-1~exp1

6.1.3~ds0-1~exp1

6.1.3~ds0-1~exp2

6.1.3~ds0-1~exp3

6.1.3~ds0-1

6.1.4~ds0-1

6.1.5~ds0-1

6.1.6~ds0-1

7.*

7.0.0~ds0-1

7.0.1~ds0-1

7.0.2~ds0-1

7.0.2~ds0-2

7.0.2~ds0-3

7.0.3~ds0-1

7.0.4+ds-1

7.0.4+ds-2

7.0.5+ds-1

7.0.5+ds-2

7.0.7+ds-1~exp1

7.0.8+ds-1~exp1

7.0.9+ds-1~exp1

7.0.11+ds-1~exp1

7.0.11+ds-1~exp2

7.0.12+ds-1~exp1

7.0.12+ds-1

8.*

8.0.0+ds-1

8.0.3+ds-1

8.0.3+ds-2

8.0.4+ds-1

8.0.6+ds-1

8.0.6+ds-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / juce

Package

Name: juce
Purl: pkg:deb/debian/juce?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.5~ds0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / juce

Package

Name: juce
Purl: pkg:deb/debian/juce?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.5~ds0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/juce-framework/juce

Affected ranges

Type: GIT
Repo: https://github.com/juce-framework/juce
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2e874e80cba0152201aff6a4d0dc407997d10a7f

Fixed

2e874e80cba0152201aff6a4d0dc407997d10a7f

Affected versions

1.*

1.51

1.52

1.53

2.*

2.0.0

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.40

2.0.41

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.1.0

3.1.1

3.2.0

4.*

4.0.1

4.0.2

4.0.3

4.1.0

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.3.0

4.3.1

5.*

5.0.0

5.0.1

5.0.2

5.1.0

5.1.1

5.1.2

5.2.0

5.2.1

5.3.0

5.3.1

5.3.2

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

6.*

6.0.0

6.0.1

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4