CVE-2023-0591

low-risk
Published 2023-01-31

ubireader_extract_files is vulnerable to path traversal when run against specifically crafted UBIFS files, allowing the attacker to overwrite files outside of the extraction directory (provided the process has write access to that file or directory). This is due to the fact that a node name (dent_node.name) is considered trusted and joined to the extraction directory path during processing, then the node content is written to that joined path. By crafting a malicious UBIFS file with node names holding path traversal payloads (e.g. ../../tmp/outside.txt), it's possible to force ubi_reader to write outside of the extraction directory. This issue affects ubi-reader before 0.8.5.

Do I need to act?

-
0.30% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Ubi Reader

Affected Vendors

Ubi Reader Project

References (4)

Patch https://github.com/jrspruitt/ubi_reader/pull/57
Exploit https://onekey.com/blog/security-advisory-remote-command-execution-in-binwalk/
Patch https://github.com/jrspruitt/ubi_reader/pull/57
Exploit https://onekey.com/blog/security-advisory-remote-command-execution-in-binwalk/
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal