Vulnerability CVE-2011-5325

Vulnerability Name:

CVE-2011-5325 (CCN-107430)

Assigned:

2015-10-21

Published:

2015-10-21

Updated:

2021-02-19

Summary:

Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-22

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2011-5325

Source: CCN
Type: BusyBox GIT Repository
tar: add a note about -C and symlink-in-tarball attack

Source: MISC
Type: Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html

Source: FULLDISC
Type: Exploit, Mailing List, Third Party Advisory
20190612 SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series

Source: FULLDISC
Type: Exploit, Mailing List, Third Party Advisory
20200827 SEC Consult SA-20200827-0 :: Multiple Vulnerabilities in ZTE mobile Hotspot MS910S

Source: CCN
Type: oss-sec Mailing List, Wed, 21 Oct 2015 10:36:33 -0500
CVE Request: BusyBox tar directory traversal

Source: CCN
Type: oss-sec Mailing List, Wed, 21 Oct 2015 14:56:50 -0500
Re: CVE Request: BusyBox tar directory traversal

Source: CCN
Type: oss-sec Mailing List, Wed, 21 Oct 2015 17:47:36 -0400 (EDT)
Re: CVE Request: BusyBox tar directory traversal

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20151021 Re: CVE Request: BusyBox tar directory traversal

Source: CCN
Type: BusyBox bug tracking web site
Bug 8411 - Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Source: CCN
Type: Red Hat Bugzilla Bug 1274215
(CVE-2011-5325) CVE-2011-5325 busybox: Path traversal via crafted tar file containing symlink

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1274215

Source: XF
Type: UNKNOWN
busybox-cve20115325-dir-trav(107430)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20180727 [SECURITY] [DLA 1445-1] busybox security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210215 [SECURITY] [DLA 2559-1] busybox security update

Source: BUGTRAQ
Type: Exploit, Mailing List, Third Party Advisory
20190613 SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series

Source: UBUNTU
Type: Third Party Advisory
USN-3935-1

Vulnerable Configuration:

Configuration 1:

cpe:/a:busybox:busybox:*:*:*:*:*:*:*:* (Version <= 1.21.1)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

OR cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7456	P	busybox-1.35.0-150500.8.2 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:800	P	Security update for libjpeg-turbo (Moderate)	2022-10-04
oval:org.opensuse.security:def:3744	P	Security update for java-11-openjdk (Important) (in QA)	2022-07-22
oval:org.opensuse.security:def:3515	P	gstreamer-plugins-good-1.8.3-15.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3701	P	libvpx1-1.3.0-3.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94627	P	libbsd-devel-0.8.7-3.3.17 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:93142	P	(Important)	2022-06-10
oval:org.opensuse.security:def:93295	P	(Important)	2022-05-16
oval:org.opensuse.security:def:99753	P	(Moderate)	2022-03-04
oval:org.opensuse.security:def:119071	P	Security update for busybox (Important)	2022-02-14
oval:org.opensuse.security:def:119189	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:101592	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:118692	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:119379	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:118882	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:100064	P	(Moderate)	2022-01-20
oval:org.opensuse.security:def:119564	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:861	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:112032	P	busybox-1.35.0-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99228	P	(Important)	2022-01-17
oval:org.opensuse.security:def:106316	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10427	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92676	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:103028	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:100136	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:8922	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109687	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96249	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106804	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10718	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9887	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102910	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9139	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70585	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99033	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109576	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96200	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10441	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:105723	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9677	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92083	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99427	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:69618	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96259	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106117	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92477	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102929	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:111864	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70854	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99825	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:8727	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70016	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109595	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96210	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106515	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10445	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92875	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102890	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9117	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70567	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96340	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109556	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:93425	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102933	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9478	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70858	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70027	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109599	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:64833	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96220	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10714	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:105918	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9876	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92278	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102900	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9129	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70581	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99626	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:69817	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109566	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:73955	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99160	P	(Important)	2021-11-11
oval:org.opensuse.security:def:111105	P	Security update for busybox (Important)	2021-10-31
oval:org.opensuse.security:def:105655	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9605	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92015	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:70307	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:99355	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69553	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:117520	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106045	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92405	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:111767	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:8666	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69944	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:64604	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106443	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92803	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:101340	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9049	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:70495	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:108006	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:73726	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:10167	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9413	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:64790	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:105850	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9804	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92210	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:99554	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69745	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:73912	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106244	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:10355	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92604	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:8854	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106730	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92989	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:98965	P	Security update for busybox (Important)	2021-10-27
oval:com.ubuntu.bionic:def:201153250000000	V	CVE-2011-5325 on Ubuntu 18.04 LTS (bionic) - low.	2017-08-07
oval:com.ubuntu.artful:def:20115325000	V	CVE-2011-5325 on Ubuntu 17.10 (artful) - low.	2017-08-07
oval:com.ubuntu.trusty:def:20115325000	V	CVE-2011-5325 on Ubuntu 14.04 LTS (trusty) - low.	2017-08-07
oval:com.ubuntu.xenial:def:201153250000000	V	CVE-2011-5325 on Ubuntu 16.04 LTS (xenial) - low.	2017-08-07
oval:com.ubuntu.bionic:def:20115325000	V	CVE-2011-5325 on Ubuntu 18.04 LTS (bionic) - low.	2017-08-07
oval:com.ubuntu.xenial:def:20115325000	V	CVE-2011-5325 on Ubuntu 16.04 LTS (xenial) - low.	2017-08-07
oval:com.ubuntu.disco:def:201153250000000	V	CVE-2011-5325 on Ubuntu 19.04 (disco) - low.	2017-08-07
oval:com.ubuntu.cosmic:def:20115325000	V	CVE-2011-5325 on Ubuntu 18.10 (cosmic) - low.	2017-08-07
oval:com.ubuntu.cosmic:def:201153250000000	V	CVE-2011-5325 on Ubuntu 18.10 (cosmic) - low.	2017-08-07
oval:com.ubuntu.precise:def:20115325000	V	CVE-2011-5325 on Ubuntu 12.04 LTS (precise) - medium.	2017-03-08

BACK