CVE-2021-3139

EUVD-2021-26486
In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
tcmu-runner_projecttcmu-runner
1.3.0 ≤
𝑥
≤ 1.5.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tcmu
bookworm
1.5.4-4.1
fixed
bullseye
1.5.2-6
fixed
sid
1.5.4-9
fixed
trixie
1.5.4-9
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tcmu
bionic
dne
focal
Fixed 1.5.2-5ubuntu0.20.04.1
released
groovy
Fixed 1.5.2-5ubuntu0.20.10.1
released
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needed
trusty
dne
xenial
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/01/13/5
https://bugzilla.suse.com/attachment.cgi?id=844938
https://bugzilla.suse.com/show_bug.cgi?id=1178372
https://github.com/open-iscsi/tcmu-runner/pull/644
https://www.openwall.com/lists/oss-security/2021/01/12/12
http://www.openwall.com/lists/oss-security/2021/01/13/5
https://bugzilla.suse.com/attachment.cgi?id=844938
https://bugzilla.suse.com/show_bug.cgi?id=1178372
https://github.com/open-iscsi/tcmu-runner/pull/644
https://www.openwall.com/lists/oss-security/2021/01/12/12