{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-33287", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T23:42:20.325Z", "dateReserved": "2021-05-20T00:00:00", "datePublished": "2021-09-07T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "In NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of service of the application."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://ntfs-3g.com"}, {"url": "http://tuxera.com"}, {"name": "[oss-security] 20210830 NTFS3G-SA-2021-0001: Multiple buffer overflows in all versions of NTFS-3G", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2021/08/30/1"}, {"url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"}, {"name": "DSA-4971", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2021/dsa-4971"}, {"name": "FEDORA-2021-e7c8ba6301", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/"}, {"name": "FEDORA-2021-5b1dac797b", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/"}, {"name": "[debian-lts-announce] 20211116 [SECURITY] [DLA 2819-1] ntfs-3g security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html"}, {"name": "GLSA-202301-01", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202301-01"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:42:20.325Z"}, "title": "CVE Program Container", "references": [{"url": "http://ntfs-3g.com", "tags": ["x_transferred"]}, {"url": "http://tuxera.com", "tags": ["x_transferred"]}, {"name": "[oss-security] 20210830 NTFS3G-SA-2021-0001: Multiple buffer overflows in all versions of NTFS-3G", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/08/30/1"}, {"url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp", "tags": ["x_transferred"]}, {"name": "DSA-4971", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4971"}, {"name": "FEDORA-2021-e7c8ba6301", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/"}, {"name": "FEDORA-2021-5b1dac797b", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/"}, {"name": "[debian-lts-announce] 20211116 [SECURITY] [DLA 2819-1] ntfs-3g security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html"}, {"name": "GLSA-202301-01", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202301-01"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tuxera:ntfs-3g:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBE087A1-98D1-4F40-9CC9-D90116B23E0C", "versionEndExcluding": "2021.8.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of service of the application."}, {"lang": "es", "value": "En NTFS-3G versiones anteriores a 2021.8.22, cuando se leen atributos NTFS especialmente dise\u00f1ados en la funci\u00f3n ntfs_attr_pread_i, puede ocurrir un desbordamiento del b\u00fafer de la pila y permitir la escritura en memoria arbitraria o la denegaci\u00f3n de servicio de la aplicaci\u00f3n"}], "id": "CVE-2021-33287", "lastModified": "2024-11-21T06:08:39.320", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-07T15:15:07.647", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://ntfs-3g.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "http://tuxera.com"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/08/30/1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202301-01"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4971"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "http://ntfs-3g.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "http://tuxera.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/08/30/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202301-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4971"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3704", "cpe": "cpe:/a:redhat:advanced_virtualization:8.2::el8", "package": "virt:8.2-8020120210917153657.863bb0db", "product_name": "Advanced Virtualization for RHEL 8.2.1", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2021:3704", "cpe": "cpe:/a:redhat:advanced_virtualization:8.2::el8", "package": "virt-devel:8.2-8020120210917153657.863bb0db", "product_name": "Advanced Virtualization for RHEL 8.2.1", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2021:3703", "cpe": "cpe:/a:redhat:advanced_virtualization:8.4::el8", "package": "virt:av-8040020210922084349.522a0ee4", "product_name": "Advanced Virtualization for RHEL 8.4.0.Z", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2021:3703", "cpe": "cpe:/a:redhat:advanced_virtualization:8.4::el8", "package": "virt-devel:av-8040020210922084349.522a0ee4", "product_name": "Advanced Virtualization for RHEL 8.4.0.Z", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2022:1759", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt-devel:rhel-8060020220408104655.d63f516d", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}, {"advisory": "RHSA-2022:1759", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt:rhel-8060020220408104655.d63f516d", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "ntfs-3g: Heap buffer overflow in ntfs_attr_pread_i() triggered by specially crafted NTFS attributes", "id": "2001613", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001613"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-119", "details": ["In NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of service of the application.", "The ntfs3g package is susceptible to a heap overflow on crafted input. When processing NTFS attributes, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2021-33287", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libguestfs-winsupport", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Affected", "package_name": "virt:8.2/libguestfs-winsupport", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Affected", "package_name": "virt:av/libguestfs-winsupport", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libguestfs-winsupport", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-08-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-33287\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33287\nhttps://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"], "threat_severity": "Moderate", "upstream_fix": "ntfs3g 2021.8.22"}