SCA: security update for sharpcompress (GHSA-jp7f-grcv-6mjf)

medium Tenable Self-Hosted Container Security Plugin ID 416486

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SharpCompress is a fully managed C# library to deal with many compression types and formats. Versions
prior to 0.29.0 are vulnerable to partial path traversal. SharpCompress recreates a hierarchy of
directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent
extraction outside the destination directory the destinationFileName path is verified to begin with
fullDestinationDirectoryPath. However, prior to version 0.29.0, it is not enforced that
fullDestinationDirectoryPath ends with slash. If the destinationDirectory is not slash terminated like
`/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one
level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory
constraints the arbitrary file creation impact is limited and depends on the use case. This issue is fixed
in SharpCompress version 0.29.0. (CVE-2021-39208)

See Also

https://github.com/advisories/GHSA-jp7f-grcv-6mjf

Plugin Details

Severity: Medium

ID: 416486

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2021-39208

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Threat Score: 2.1

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/20/2021

Vulnerability Publication Date: 9/16/2021

Reference Information

CVE: CVE-2021-39208

cwe: CWE-22