1. Home
  2. Vulnerabilities
  3. CVE-2021-3139

CVE-2021-3139

CVSS v3.1 8.1 (High)
81% Progress
CVSS v2.0 5.5 (Medium)
55% Progress
EPSS 0.17 % (54th)
0.17% Progress
Affected Products 1
Advisories 6
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.

Weaknesses
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Related CVEs
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2021-01-13 16:15:14
(3 years ago)
Updated Date
2021-01-22 18:25:15
(3 years ago)

Affected Products

Tcmu-runner Project

Configuration #1

    CPE23 From Up To
  Tcmu-runner Project Tcmu-runner from 1.3.0 version and 1.5.2 and prior versions cpe:2.3:a:tcmu-runner_project:tcmu-runner >= 1.3.0 <= 1.5.2