nvd-json-data-feeds/CVE-2021/CVE-2021-391xx/CVE-2021-39143.json

{
  "id": "CVE-2021-39143",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2022-01-04T18:15:08.087",
  "lastModified": "2024-11-21T06:18:41.313",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spinnaker is an open source, multi-cloud continuous delivery platform. A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract files locally for deployment without validating the paths in that deployment don't override system files. This would allow an attacker to override files on the container, POTENTIALLY introducing a MITM type attack vector by replacing libraries or injecting wrapper files. Users are advised to update as soon as possible. For users unable to update disable Google AppEngine deployments and/or disable artifacts that provide TARs."
    },
    {
      "lang": "es",
      "value": "Spinnaker es una plataforma de entrega continua multi-nube de c\u00f3digo abierto. Se ha detectado una vulnerabilidad de salto de ruta en el uso de archivos TAR por parte de AppEngine para los despliegues. Esto usa una utilidad para extraer archivos localmente para el despliegue sin comprender las rutas en ese despliegue no anulan los archivos del sistema. Esto permitir\u00eda a un atacante anular archivos en el contenedor, introduciendo POTENCIALMENTE un vector de ataque de tipo MITM mediante la sustituci\u00f3n de bibliotecas o la inyecci\u00f3n de archivos wrapper. Se recomienda a usuarios que actualicen lo antes posible. Para los usuarios que no puedan actualizar, deshabiliten los despliegues de Google AppEngine y/o deshabiliten los artefactos que proporcionan TARs"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
          "baseScore": 6.6,
          "baseSeverity": "MEDIUM",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.7
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
          "baseScore": 3.6,
          "accessVector": "LOCAL",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE"
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 3.9,
        "impactScore": 4.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "1.24.7",
              "matchCriteriaId": "51B41C20-068F-4C5A-9DFC-881BE5647DF7"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "1.25.0",
              "versionEndExcluding": "1.25.7",
              "matchCriteriaId": "35DF5CEB-C2A0-4E6B-A342-7F9D86FF8B98"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "1.26.0",
              "versionEndExcluding": "1.26.7",
              "matchCriteriaId": "13D2C5A9-95F0-4DB0-9FEE-CA87850872D8"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-34jx-3vmr-56v8",
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Technical Description",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-34jx-3vmr-56v8",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Technical Description",
        "Third Party Advisory"
      ]
    }
  ]
}