VDB
CVE-2021-23521
CVE-2021-23521
PUBLISHED
This affects the package juce-framework/JUCE before 6.1.5. This vulnerability is triggered when a malicious archive is crafted with an entry containing a symbolic link. When extracted, the symbolic link is followed outside of the target dir allowing writing arbitrary files on the target host. In some cases, this can allow an attacker to execute arbitrary code. The vulnerable code is in the ZipFile::uncompressEntry function in juce_ZipFile.cpp and is executed when the archive is extracted upon calling uncompressTo() on a ZipFile object.
EPSS 0.08% · 22.9th percentile
Risk Scores
EPSS Score
0.08%
22.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | juce | 0, 5.4.4~repack0-3, 5.4.5~ds0-1 |
| Ubuntu:16.04:LTS | juce | 0, 4.1.0+repack-3 |
| Ubuntu:22.04:LTS | juce | 6.1.5~ds0-1, 0, 5.4.7~ds0-2 |
| Ubuntu:18.04:LTS | juce | *, *, 0 |
| Ubuntu:24.04:LTS | juce | 7.0.5+ds-1, 7.0.5+ds-1build1, 0 |
| Ubuntu:25.10 | juce | 0, 8.0.6+ds-2 |
Exploit Intelligence
Timeline
- Jan 31, 2022 CVE Published
- Feb 1, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 8, 2022 EPSS Score
- Mar 26, 2022 EPSS Score
- May 17, 2022 EPSS Score
- Sep 1, 2022 EPSS Score
- Oct 23, 2022 EPSS Score
- Dec 15, 2022 EPSS Score
- Feb 6, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 31, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-23521 third-party-advisory
- https://snyk.io/vuln/SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388608 third-party-advisory
- https://github.com/juce-framework/JUCE/commit/2e874e80cba0152201aff6a4d0dc407997d10a7f third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-23521 third-party-advisory