{"id":"CVE-2021-3139","details":"In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.","modified":"2026-03-20T11:40:46.224234Z","published":"2021-01-13T16:15:14.617Z","related":["SUSE-SU-2021:0093-1","SUSE-SU-2021:0143-1","SUSE-SU-2021:0158-1","openSUSE-SU-2021:0097-1","openSUSE-SU-2021:0128-1"],"references":[{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2021/01/12/12"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/01/13/5"},{"type":"REPORT","url":"https://bugzilla.suse.com/attachment.cgi?id=844938"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1178372"},{"type":"FIX","url":"https://github.com/open-iscsi/tcmu-runner/pull/644"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-iscsi/tcmu-runner","events":[{"introduced":"8c9c9db914c9af86a8b0e895f90968b51247f072"},{"last_affected":"9c84f7a4348ac326ac269fbdda507953dba6ec2c"}],"database_specific":{"versions":[{"introduced":"1.3.0"},{"last_affected":"1.5.2"}]}}],"versions":["v1.3.0","v1.4.0","v1.4.0-rc1","v1.5.0","v1.5.1","v1.5.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3139.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}