Directory Traversal Affecting dino package, versions <0.2.1-r0
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.14% (49th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALPINE313-DINO-1300828
- published 9 Jun 2021
- disclosed 7 Jun 2021
Introduced: 7 Jun 2021
CVE-2021-33896 Open this link in a new tabHow to fix?
Upgrade Alpine:3.13 dino to version 0.2.1-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream dino package and not the dino package as distributed by Alpine.
See How to fix? for Alpine:3.13 relevant fixed versions and status.
Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (only for creation of new files) via URI-encoded path separators.
References
- https://dino.im/security/cve-2021-33896/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODN4ZSTBYIW25DO3FNRK6FQRGSYGT57I/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P55V3TVSVXREOJAJRXNUSBEUZFOU54V3/
- https://dino.im/blog/
- http://www.openwall.com/lists/oss-security/2021/06/07/2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODN4ZSTBYIW25DO3FNRK6FQRGSYGT57I/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P55V3TVSVXREOJAJRXNUSBEUZFOU54V3/