CVE-2021-23391 – CVE-2021-23391 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-23391?

CVE-2021-23391 has a CVSS score of 7.3 (HIGH). CVE-2021-23391 is a path traversal vulnerability in the Calipso package that allows malicious modules to overwrite arbitrary files during installation. This affects all versions of Calipso, putting any system using this package at risk of file system manipulation.

📋 TL;DR

CVE-2021-23391 is a path traversal vulnerability in the Calipso package that allows malicious modules to overwrite arbitrary files during installation. This affects all versions of Calipso, putting any system using this package at risk of file system manipulation.

💻 Affected Systems

Products:

calipso

Versions: All versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using Calipso package is vulnerable regardless of configuration.

📦 What is this software?

Calipso by Calipso Project

View all CVEs affecting Calipso →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through overwriting critical system files, installation of persistent backdoors, or destruction of data.

🟠

Likely Case

Unauthorized file modification leading to data loss, service disruption, or privilege escalation.

🟢

If Mitigated

Limited impact with proper file permissions and module vetting, potentially only affecting non-critical files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires module installation capability, which typically requires some level of access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://github.com/cliftonc/calipso

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing strict module vetting.

🔧 Temporary Workarounds

Disable module installation

all

Prevent installation of new modules to block the attack vector

Modify Calipso configuration to disable module management features

Implement strict file permissions

linux

Restrict Calipso's write access to only necessary directories

chmod 755 /path/to/calipso
chown restricted_user:restricted_group /path/to/calipso

🧯 If You Can't Patch

Implement strict access controls and audit all installed modules
Run Calipso in a containerized environment with limited filesystem access

🔍 How to Verify

Check if Vulnerable:

Check if Calipso package is installed: npm list calipso

Check Version:

npm list calipso --depth=0

Verify Fix Applied:

Verify no Calipso installation exists or that workarounds are properly implemented

📡 Detection & Monitoring

Log Indicators:

Unusual module installation activity
File modification outside expected directories

Network Indicators:

Unexpected npm package downloads to Calipso instances

SIEM Query:

source="calipso" AND (event="module_install" OR event="file_write")

📊 Metadata

CVE ID: CVE-2021-23391

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-22

Published: June 7, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/cliftonc/calipso Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CALIPSO-1300555 Exploit,Third Party Advisory
https://github.com/cliftonc/calipso Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CALIPSO-1300555 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23391, you might also want to check these: