{"id":"UBUNTU-CVE-2021-3139","details":"In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.","modified":"2026-05-20T16:06:27.709488848Z","published":"2021-01-13T16:15:00Z","related":["USN-4707-1"],"upstream":["CVE-2021-3139"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-3139"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2021/01/13/5"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4707-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-3139"}],"affected":[{"package":{"name":"tcmu","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/tcmu?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.2-5ubuntu0.20.04.1"}]}],"versions":["1.4.0-1","1.5.2-2","1.5.2-2ubuntu1","1.5.2-3","1.5.2-4","1.5.2-5","1.5.2-5build1"],"ecosystem_specific":{"binaries":[{"binary_name":"libtcmu2","binary_version":"1.5.2-5ubuntu0.20.04.1"},{"binary_name":"tcmu-runner","binary_version":"1.5.2-5ubuntu0.20.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3139.json"}},{"package":{"name":"tcmu","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/tcmu?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.2-6","1.5.4-2"],"ecosystem_specific":{"binaries":[{"binary_name":"libtcmu2","binary_version":"1.5.4-2"},{"binary_name":"tcmu-runner","binary_version":"1.5.4-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3139.json"}},{"package":{"name":"tcmu","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/tcmu?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.4-4.1","1.5.4-5","1.5.4-6ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"libtcmu2","binary_version":"1.5.4-6ubuntu1"},{"binary_name":"tcmu-runner","binary_version":"1.5.4-6ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3139.json"}},{"package":{"name":"tcmu","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/tcmu?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.4-9"],"ecosystem_specific":{"binaries":[{"binary_name":"libtcmu2","binary_version":"1.5.4-9"},{"binary_name":"tcmu-runner","binary_version":"1.5.4-9"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3139.json"}},{"package":{"name":"tcmu","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/tcmu?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.4-9","1.5.4-10"],"ecosystem_specific":{"binaries":[{"binary_name":"libtcmu2","binary_version":"1.5.4-10"},{"binary_name":"tcmu-runner","binary_version":"1.5.4-10"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3139.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}