[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2021-21272":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T02:55:30.529Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":220,"aliases":221,"duplicate_of":9,"upstream":225,"downstream":226,"duplicates":233,"related":234,"reserved_at":9,"published_at":238,"modified_at":239,"state":240,"summary":241,"references_raw":250,"kevs":291,"epss":292,"epss_history":295,"metrics":564,"affected":579},"CVE-2021-21272","ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a \"zip-slip\" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider.",null,[11,195],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-59","Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.","weakness","Draft","Base","Medium",[20,101,162,191],{"id":21,"name":22,"techniques":23},"CAPEC-132","Symlink Attack",[24],{"id":25,"name":26,"tactics":27,"countermeasures":34},"T1547.009","Shortcut Modification",[28,31],{"id":29,"name":30},"TA0110","Persistence",{"id":32,"name":33},"TA0111","Privilege Escalation",[35,40,44,48,52,57,62,67,72,77,81,85,89,93,97],{"id":36,"name":37,"tactic":38},"D3-FA","File Analysis",{"name":39},"Detect",{"id":41,"name":42,"tactic":43},"D3-FIM","File Integrity Monitoring",{"name":39},{"id":45,"name":46,"tactic":47},"D3-DA","Dynamic Analysis",{"name":39},{"id":49,"name":50,"tactic":51},"D3-EFA","Emulated File Analysis",{"name":39},{"id":53,"name":54,"tactic":55},"D3-FEV","File Eviction",{"name":56},"Evict",{"id":58,"name":59,"tactic":60},"D3-DF","Decoy File",{"name":61},"Deceive",{"id":63,"name":64,"tactic":65},"D3-FE","File Encryption",{"name":66},"Harden",{"id":68,"name":69,"tactic":70},"D3-RF","Restore File",{"name":71},"Restore",{"id":73,"name":74,"tactic":75},"D3-CF","Content Filtering",{"name":76},"Isolate",{"id":78,"name":79,"tactic":80},"D3-LFP","Local File Permissions",{"name":76},{"id":82,"name":83,"tactic":84},"D3-RFAM","Remote File Access Mediation",{"name":76},{"id":86,"name":87,"tactic":88},"D3-CQ","Content Quarantine",{"name":76},{"id":90,"name":91,"tactic":92},"D3-CM","Content Modification",{"name":76},{"id":94,"name":95,"tactic":96},"D3-EAL","Executable Allowlisting",{"name":76},{"id":98,"name":99,"tactic":100},"D3-EDL","Executable Denylisting",{"name":76},{"id":102,"name":103,"techniques":104},"CAPEC-17","Using Malicious Files",[105,142],{"id":106,"name":107,"tactics":108,"countermeasures":120},"T1574.005","Executable Installer File Permissions Weakness",[109,110,111,114,117],{"id":29,"name":30},{"id":32,"name":33},{"id":112,"name":113},"TA0030","Defense Evasion",{"id":115,"name":116},"TA0005","Stealth",{"id":118,"name":119},"TA0104","Execution",[121,126,130,134,138],{"id":122,"name":123,"tactic":124},"D3-SWI","Software Inventory",{"name":125},"Model",{"id":127,"name":128,"tactic":129},"D3-AVE","Asset Vulnerability Enumeration",{"name":125},{"id":131,"name":132,"tactic":133},"D3-SBV","Service Binary Verification",{"name":39},{"id":135,"name":136,"tactic":137},"D3-SU","Software Update",{"name":66},{"id":139,"name":140,"tactic":141},"D3-RS","Restore Software",{"name":71},{"id":143,"name":144,"tactics":145,"countermeasures":151},"T1574.010","Services File Permissions Weakness",[146,147,148,149,150],{"id":29,"name":30},{"id":32,"name":33},{"id":112,"name":113},{"id":115,"name":116},{"id":118,"name":119},[152,154,156,158,160],{"id":122,"name":123,"tactic":153},{"name":125},{"id":127,"name":128,"tactic":155},{"name":125},{"id":131,"name":132,"tactic":157},{"name":39},{"id":135,"name":136,"tactic":159},{"name":66},{"id":139,"name":140,"tactic":161},{"name":71},{"id":163,"name":164,"techniques":165},"CAPEC-35","Leverage Executable Code in Non-Executable Files",[166,173,180],{"id":167,"name":168,"tactics":169,"countermeasures":172},"T1027.006","HTML Smuggling",[170,171],{"id":112,"name":113},{"id":115,"name":116},[],{"id":174,"name":175,"tactics":176,"countermeasures":179},"T1027.009","Embedded Payloads",[177,178],{"id":112,"name":113},{"id":115,"name":116},[],{"id":181,"name":182,"tactics":183,"countermeasures":186},"T1564.009","Resource Forking",[184,185],{"id":112,"name":113},{"id":115,"name":116},[187],{"id":188,"name":189,"tactic":190},"D3-FFV","File Format Verification",{"name":76},{"id":192,"name":193,"techniques":194},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"_key":196,"id":196,"name":197,"description":198,"type":15,"status":199,"abstraction":17,"likelihood_of_exploit":200,"capec":201},"CWE-22","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","Stable","High",[202,206,210,212,216],{"id":203,"name":204,"techniques":205},"CAPEC-126","Path Traversal",[],{"id":207,"name":208,"techniques":209},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":192,"name":193,"techniques":211},[],{"id":213,"name":214,"techniques":215},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":217,"name":218,"techniques":219},"CAPEC-79","Using Slashes in Alternate Encoding",[],[],[222,223,224],"GHSA-g5v4-5x39-vwhx","BIT-oras-2021-21272","GO-2021-0099",[],[227,229,231],{"_key":228},"SUSE-SU-2022:4606-1",{"_key":230},"OPENSUSE-SU-2024:12345-1",{"_key":232},"OPENSUSE-SU-2025:15779-1",[],[235,236,237],{"_key":228},{"_key":230},{"_key":232},"2021-01-25T18:30:15.000Z","2024-08-03T18:09:15.220Z","Modified",{"cisa_kev":242,"cisa_ransomware":242,"cisa_vendor":9,"epss_severity":243,"epss_score":244,"severity":245,"severity_score":246,"severity_version":247,"severity_source":248,"severity_vector":249,"severity_status":240},false,"low",0.00304,"high",7.7,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",[251,261,267,272,277,282,287],{"url":252,"sources":253,"tags":256},"https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx",[248,254,255],"nvd","osv_go",[257,258,259,260],"X Refsource CONFIRM","Patch","Vendor Advisory","WEB",{"url":262,"sources":263,"tags":264},"https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e",[248,254,255],[265,258,260,266],"X Refsource MISC","FIX",{"url":268,"sources":269,"tags":270},"https://github.com/deislabs/oras/releases/tag/v0.9.0",[248,254,255],[265,271,260],"Release Notes",{"url":273,"sources":274,"tags":275},"https://pkg.go.dev/github.com/deislabs/oras/pkg/oras",[248,254,255],[265,276,260],"Third Party Advisory",{"url":278,"sources":279,"tags":280},"https://nvd.nist.gov/vuln/detail/CVE-2021-21272",[255],[281],"Advisory",{"url":283,"sources":284,"tags":285},"https://github.com/deislabs/oras",[255],[286],"PACKAGE",{"url":288,"sources":289,"tags":290},"https://pkg.go.dev/vuln/GO-2021-0099",[255],[260],[],{"date":293,"score":244,"percentile":294},"2026-06-04",0.53975,[296,300,303,305,308,311,314,317,320,323,326,329,332,335,338,342,345,348,351,354,357,360,363,366,369,372,375,378,381,384,387,389,392,395,398,401,404,407,409,412,414,417,420,423,426,429,432,435,438,441,444,448,451,454,457,460,463,466,469,472,475,478,482,485,488,491,494,497,500,503,505,508,511,514,517,520,523,526,529,532,534,537,540,543,546,549,552,555,558,561],{"date":297,"score":298,"percentile":299},"2025-11-04",0.00223,0.44881,{"date":301,"score":298,"percentile":302},"2025-11-05",0.44868,{"date":304,"score":298,"percentile":299},"2025-11-06",{"date":306,"score":298,"percentile":307},"2025-11-07",0.44908,{"date":309,"score":298,"percentile":310},"2025-11-08",0.44906,{"date":312,"score":298,"percentile":313},"2025-11-09",0.44884,{"date":315,"score":298,"percentile":316},"2025-11-10",0.44845,{"date":318,"score":298,"percentile":319},"2025-11-11",0.44862,{"date":321,"score":298,"percentile":322},"2025-11-12",0.44895,{"date":324,"score":298,"percentile":325},"2025-11-13",0.44903,{"date":327,"score":298,"percentile":328},"2025-11-14",0.44918,{"date":330,"score":298,"percentile":331},"2025-11-15",0.44913,{"date":333,"score":298,"percentile":334},"2025-11-16",0.44897,{"date":336,"score":298,"percentile":337},"2025-11-17",0.44872,{"date":339,"score":340,"percentile":341},"2025-11-18",0.0029,0.49406,{"date":343,"score":340,"percentile":344},"2025-11-19",0.4942,{"date":346,"score":340,"percentile":347},"2025-11-20",0.49407,{"date":349,"score":298,"percentile":350},"2025-11-21",0.44867,{"date":352,"score":298,"percentile":353},"2025-11-22",0.44864,{"date":355,"score":298,"percentile":356},"2025-11-23",0.44838,{"date":358,"score":298,"percentile":359},"2025-11-24",0.4483,{"date":361,"score":298,"percentile":362},"2025-11-25",0.44839,{"date":364,"score":298,"percentile":365},"2025-11-26",0.4484,{"date":367,"score":298,"percentile":368},"2025-11-27",0.44847,{"date":370,"score":298,"percentile":371},"2025-11-28",0.44814,{"date":373,"score":298,"percentile":374},"2025-11-29",0.44796,{"date":376,"score":298,"percentile":377},"2025-11-30",0.4478,{"date":379,"score":298,"percentile":380},"2025-12-01",0.44916,{"date":382,"score":298,"percentile":383},"2025-12-02",0.44929,{"date":385,"score":298,"percentile":386},"2025-12-03",0.44925,{"date":388,"score":298,"percentile":377},"2025-12-04",{"date":390,"score":298,"percentile":391},"2025-12-05",0.44805,{"date":393,"score":298,"percentile":394},"2025-12-06",0.448,{"date":396,"score":298,"percentile":397},"2025-12-07",0.44781,{"date":399,"score":298,"percentile":400},"2025-12-08",0.44787,{"date":402,"score":298,"percentile":403},"2025-12-09",0.44822,{"date":405,"score":298,"percentile":406},"2025-12-10",0.44887,{"date":408,"score":298,"percentile":331},"2025-12-11",{"date":410,"score":298,"percentile":411},"2025-12-12",0.44942,{"date":413,"score":298,"percentile":383},"2025-12-13",{"date":415,"score":298,"percentile":416},"2025-12-14",0.4491,{"date":418,"score":298,"percentile":419},"2025-12-15",0.4489,{"date":421,"score":298,"percentile":422},"2025-12-16",0.44912,{"date":424,"score":298,"percentile":425},"2025-12-17",0.44943,{"date":427,"score":298,"percentile":428},"2025-12-18",0.4499,{"date":430,"score":298,"percentile":431},"2025-12-19",0.45002,{"date":433,"score":298,"percentile":434},"2025-12-20",0.44975,{"date":436,"score":298,"percentile":437},"2025-12-21",0.44944,{"date":439,"score":298,"percentile":440},"2025-12-22",0.4492,{"date":442,"score":298,"percentile":443},"2025-12-23",0.44921,{"date":445,"score":446,"percentile":447},"2025-12-24",0.00259,0.49062,{"date":449,"score":446,"percentile":450},"2025-12-25",0.49115,{"date":452,"score":446,"percentile":453},"2025-12-26",0.49105,{"date":455,"score":446,"percentile":456},"2025-12-27",0.49132,{"date":458,"score":446,"percentile":459},"2025-12-28",0.49044,{"date":461,"score":446,"percentile":462},"2025-12-29",0.49027,{"date":464,"score":446,"percentile":465},"2025-12-30",0.49022,{"date":467,"score":446,"percentile":468},"2025-12-31",0.49061,{"date":470,"score":446,"percentile":471},"2026-01-01",0.49226,{"date":473,"score":446,"percentile":474},"2026-01-02",0.49206,{"date":476,"score":446,"percentile":477},"2026-01-03",0.49195,{"date":479,"score":480,"percentile":481},"2026-01-04",0.00404,0.60391,{"date":483,"score":480,"percentile":484},"2026-01-05",0.60376,{"date":486,"score":480,"percentile":487},"2026-01-06",0.60384,{"date":489,"score":480,"percentile":490},"2026-01-07",0.60409,{"date":492,"score":480,"percentile":493},"2026-01-08",0.60435,{"date":495,"score":480,"percentile":496},"2026-01-09",0.60438,{"date":498,"score":480,"percentile":499},"2026-01-10",0.60432,{"date":501,"score":480,"percentile":502},"2026-01-11",0.60416,{"date":504,"score":480,"percentile":481},"2026-01-12",{"date":506,"score":480,"percentile":507},"2026-01-13",0.60354,{"date":509,"score":480,"percentile":510},"2026-01-14",0.60393,{"date":512,"score":480,"percentile":513},"2026-01-15",0.60392,{"date":515,"score":480,"percentile":516},"2026-01-16",0.60414,{"date":518,"score":480,"percentile":519},"2026-01-17",0.60408,{"date":521,"score":480,"percentile":522},"2026-01-18",0.60405,{"date":524,"score":480,"percentile":525},"2026-01-19",0.60388,{"date":527,"score":480,"percentile":528},"2026-01-20",0.60399,{"date":530,"score":480,"percentile":531},"2026-01-21",0.60401,{"date":533,"score":480,"percentile":522},"2026-01-22",{"date":535,"score":480,"percentile":536},"2026-01-23",0.60443,{"date":538,"score":480,"percentile":539},"2026-01-24",0.60452,{"date":541,"score":480,"percentile":542},"2026-01-25",0.60415,{"date":544,"score":480,"percentile":545},"2026-01-26",0.60407,{"date":547,"score":480,"percentile":548},"2026-01-27",0.60412,{"date":550,"score":480,"percentile":551},"2026-01-28",0.60424,{"date":553,"score":480,"percentile":554},"2026-01-29",0.60425,{"date":556,"score":480,"percentile":557},"2026-01-30",0.60427,{"date":559,"score":480,"percentile":560},"2026-01-31",0.60433,{"date":562,"score":480,"percentile":563},"2026-02-01",0.60562,[565,570,577],{"source":248,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":566,"cvss_v4_0":9},{"baseScore":246,"baseSeverity":567,"vectorString":249,"impactScore":568,"exploitabilityScore":569},"HIGH",6.7,7.9,{"source":254,"cvss_v2_0":571,"cvss_v3_0":9,"cvss_v3_1":576,"cvss_v4_0":9},{"baseScore":572,"baseSeverity":9,"vectorString":573,"impactScore":574,"exploitabilityScore":575},4,"AV:N/AC:L/Au:S/C:N/I:P/A:N",2.9,8,{"baseScore":246,"baseSeverity":567,"vectorString":249,"impactScore":568,"exploitabilityScore":569},{"source":255,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":578,"cvss_v4_0":9},{"baseScore":246,"baseSeverity":9,"vectorString":249,"impactScore":568,"exploitabilityScore":569},[580,593],{"ecosystem":9,"name":581,"vendor":582,"product":581,"cpe_part":583,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":584},"oras","deislabs","a",[585],{"version":586,"is_range":587,"range_type":588,"version_start":589,"version_start_type":590,"version_end":591,"version_end_type":592,"fixed_in":9},">= 0.4.0, \u003C 0.9.0",true,"cpe","0.4.0","including","0.9.0","excluding",{"ecosystem":594,"name":595,"vendor":596,"product":581,"cpe_part":9,"purl_type":597,"purl_namespace":596,"purl_name":581,"source":9,"versions":598},"Go","github.com/deislabs/oras","github.com/deislabs","golang",[599],{"version":600,"is_range":587,"range_type":601,"version_start":9,"version_start_type":9,"version_end":591,"version_end_type":592,"fixed_in":9},"lt0_9_0","semver"]