CVE-2021-28153

Published: Mar 11, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)

Affected (4)

Products: Gnome: Glib · Broadcom: Brocade Fabric Operating System Firmware · Debian: Debian Linux · +1 more

Show all products

Gnome: Glib · Broadcom: Brocade Fabric Operating System Firmware · Debian: Debian Linux · Fedoraproject: Fedora

1 product

1 product

Brocade Fabric Operating System Firmware

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gnome Glib	Before 2.66.8

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Broadcom Brocade Fabric Operating System Firmware	All versions
Debian Debian Linux	Version 9.0
Fedoraproject Fedora	Version 33

Related CWEs

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (12)

https://gitlab.gnome.org/GNOME/glib/-/issues/2325

Source: cve@mitre.org

ExploitIssue TrackingPatchVendor Advisory

https://lists.debian.org/debian-lts-announce/2022/06/msg00006.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICUTQPHZNZWX2DZR46QFLQZRHVMHIILJ/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202107-13

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210416-0003/

Source: cve@mitre.org

Third Party Advisory

https://gitlab.gnome.org/GNOME/glib/-/issues/2325

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchVendor Advisory

https://lists.debian.org/debian-lts-announce/2022/06/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICUTQPHZNZWX2DZR46QFLQZRHVMHIILJ/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202107-13

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210416-0003/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.