CVE-2021-36159
CVE Details
Visit the official vulnerability details page for CVE-2021-36159 to learn more.
Initial Publication
01/20/2025
Last Update
02/14/2025
Third Party Dependency
apk-tools
NIST CVE Summary
libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\0' terminator one byte too late.
CVE Severity
Our Official Summary
The out-of-bounds write vulnerability in the FTP implementation can be exploited by a malicious bzip2 payload, potentially resulting in a denial of service or remote code execution. The risk for our products is low for the following reasons: a) There are no known reports of exploitation from the 3rd party vendors. b) These images are not accessible directly for an attacker to send crafted input.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.22 | ⚠️ Impacted | ✅ No Impact | ✅ No Impact | ✅ No Impact |
| 4.5.21 | ⚠️ Impacted | ✅ No Impact | ✅ No Impact | ✅ No Impact |
| 4.5.20 | ⚠️ Impacted | ✅ No Impact | ✅ No Impact | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 02/14/2025 | Impacted versions changed from 4.5.20, 4.5.21 to 4.5.20, 4.5.21, 4.5.22 |
| 02/12/2025 | Status changed from Open to Ongoing |
| 02/12/2025 | Official summary added |
| 02/05/2025 | Impacted versions changed from 4.5.20 to 4.5.20, 4.5.21 |