CVE-2021-31566
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-31566
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31566.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-31566
- Downstream
- Related
- Published
- 2022-08-23T16:15:09Z
- Modified
- 2025-10-15T12:59:23.209178Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.
- References
-
- https://access.redhat.com/security/cve/CVE-2021-31566
- https://bugzilla.redhat.com/show_bug.cgi?id=2024237
- https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
- https://github.com/libarchive/libarchive/issues/1566
- https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html
Affected packages
Git / github.com/libarchive/libarchive
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libarchive/libarchive
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v2.*
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v3.*
v3.0.0a
v3.0.1b
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.1.900a
v3.1.901a
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.5.1
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2021-31566-0834228a",
"source": "https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043",
"signature_version": "v1",
"target": {
"function": "new_fixup",
"file": "libarchive/archive_write_disk_posix.c"
},
"digest": {
"function_hash": "320885234252780684570698584660020445109",
"length": 392.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2021-31566-ac5c5a7f",
"source": "https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043",
"signature_version": "v1",
"target": {
"function": "_archive_write_disk_close",
"file": "libarchive/archive_write_disk_posix.c"
},
"digest": {
"function_hash": "110734215287798123614942951414182550419",
"length": 1519.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2021-31566-d6100c6d",
"source": "https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043",
"signature_version": "v1",
"target": {
"file": "libarchive/archive_write_disk_posix.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"334213001812460528018391827159886250604",
"298298676331893685508912404895218376082",
"281934148289165203262543037398505981918",
"133516452297774702506059862221571155387",
"255221266610567971253350916651381886473",
"170682487718179720080081239390752149260",
"170025671853692686754571705056591065980",
"45037131218959646499624916514381153602",
"186193754164664539686045318506423310731",
"225543418414766849505237414068380309124",
"86909181518846551630439248081499842741",
"204079521770618757456484582354817443455",
"186196365260791091821237758044867926710",
"177454630852752040839969091402436254366",
"19420843327646963772774605998605845839",
"293067094968881452369372668079840711572",
"203792904399839432760890263818080987312",
"5073500280348788259073985801637204843",
"56277685507538684435295851773380652368",
"144927451397420683091458932258143307900"
]
},
"deprecated": false
}
]