vulnerability
Arch Linux: Directory traversal (CVE-2021-33896)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Jun 7, 2021 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Jun 7, 2021
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
It was discovered that when a user receives and downloads a file in Dino before version 0.2.1, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user.
This vulnerability does not allow to overwrite or modify existing files and the attacker cannot control the executable flag of created files. However, third-party software may be affected by newly created configuration files, potentially allowing for code execution.
The file name, including path separators, is displayed to the user, however, long file names are ellipsized in the middle of the file name, allowing the attacker to hide the malicious path separators, as long as the resulting file name has sufficient length.
This vulnerability does not allow to overwrite or modify existing files and the attacker cannot control the executable flag of created files. However, third-party software may be affected by newly created configuration files, potentially allowing for code execution.
The file name, including path separators, is displayed to the user, however, long file names are ellipsized in the middle of the file name, allowing the attacker to hide the malicious path separators, as long as the resulting file name has sufficient length.
Solution
arch-linux-upgrade-latest
References
- CVE-2021-33896
- https://attackerkb.com/topics/CVE-2021-33896
- URL-http://www.openwall.com/lists/oss-security/2021/06/07/2
- URL-https://dino.im/blog/
- URL-https://dino.im/security/cve-2021-33896/
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODN4ZSTBYIW25DO3FNRK6FQRGSYGT57I/
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P55V3TVSVXREOJAJRXNUSBEUZFOU54V3/
- URL-https://security.archlinux.org/ASA-202107-35
- CWE-22
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.