VDB

DEBIAN-CVE-2021-40153

DEBIAN-CVE-2021-40153 PUBLISHED CVSS 8.100000381469727 HIGH

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.

Risk Scores

CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Affected Products

VendorProductVersions
Debian:14squashfs-tools0, 0, 0
Debian:12squashfs-tools0, 0, 0
Debian:11squashfs-tools0, 4.4-2, 0
Debian:13squashfs-tools0, 0, 0

Timeline

  • Aug 27, 2021 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›