CVE-2021-32840 – SharpZipLib versions before 1.3.3 contain a pat... (How to Fix)

Q: What is the severity of CVE-2021-32840?

CVE-2021-32840 has a CVSS score of 7.3 (HIGH). SharpZipLib versions before 1.3.3 contain a path traversal vulnerability in TAR file extraction. Attackers can craft malicious TAR archives with '../' sequences to write files outside the intended extraction directory, potentially leading to arbitrary file write and code execution. This affects any application using vulnerable SharpZipLib versions for TAR extraction.

📋 TL;DR

SharpZipLib versions before 1.3.3 contain a path traversal vulnerability in TAR file extraction. Attackers can craft malicious TAR archives with '../' sequences to write files outside the intended extraction directory, potentially leading to arbitrary file write and code execution. This affects any application using vulnerable SharpZipLib versions for TAR extraction.

💻 Affected Systems

Products:

SharpZipLib (#ziplib)

Versions: All versions before 1.3.3

Operating Systems: All platforms where SharpZipLib is used

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects TAR extraction functionality. ZIP, GZip, and BZip2 extraction are not vulnerable.

📦 What is this software?

Sharpziplib by Sharpziplib Project

View all CVEs affecting Sharpziplib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via arbitrary file write to sensitive locations like startup folders or configuration directories.

🟠

Likely Case

File system corruption, data loss, or privilege escalation by overwriting critical system or application files.

🟢

If Mitigated

Limited to extraction directory if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: HIGH - If application accepts TAR uploads from untrusted sources without validation.

🏢 Internal Only: MEDIUM - Requires user interaction or malicious insider to supply crafted TAR files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to extract TAR files from untrusted sources. Simple path traversal payloads like '../evil.txt' can be used.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.3

Vendor Advisory: https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3

Restart Required: No

Instructions:

1. Update SharpZipLib NuGet package to version 1.3.3 or later. 2. Rebuild and redeploy affected applications. 3. Test TAR extraction functionality.

🔧 Temporary Workarounds

Input validation for TAR entries

all

Validate TAR entry names before extraction to reject paths containing '..' sequences.

Implement custom validation in extraction code to check for '../' patterns in entry names.

Sandbox extraction directory

all

Extract TAR files to isolated, temporary directories with restricted permissions.

Use System.IO.Path.GetTempPath() or similar to create temporary extraction directories.

🧯 If You Can't Patch

Disable TAR extraction functionality if not required.
Implement strict file type validation to reject TAR files from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check SharpZipLib version in project dependencies or installed packages. Versions below 1.3.3 are vulnerable.

Check Version:

For .NET projects: check packages.config or .csproj for PackageReference to SharpZipLib version.

Verify Fix Applied:

Verify SharpZipLib version is 1.3.3 or higher in package manager or assembly version.

📡 Detection & Monitoring

Log Indicators:

Failed extraction attempts with suspicious file paths
Unexpected file writes outside extraction directories

Network Indicators:

Inbound TAR file uploads to vulnerable endpoints

SIEM Query:

source="application_logs" AND ("..\" OR "../") AND "tar extraction"

📊 Metadata

CVE ID: CVE-2021-32840

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CWE: CWE-22

Published: January 26, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b1522bc7a221cc Patch,Third Party Advisory
https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3 Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/ Exploit,Third Party Advisory
https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b1522bc7a221cc Patch,Third Party Advisory
https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3 Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32840, you might also want to check these: