Suse
CVE-2026-32771
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
The sanitizeArchivePath function in pkg/extract/extract.go (lines 248-254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI tool or the extract.DumpOTelCollector library function.
Vulnerable Code
File: pkg/extract/extract.go, lines 248-254
func sanitizeArchivePath(d, t string) (v string, err error) {
v = filepath.Join(d, t)
if strings.HasPrefix(v, filepath.Clean(d)) { // ← missing trailing separator
return v, nil
}
return "", fmt.Errorf("filepath is tainted: %s", t)
}The function is called at line 219 inside untar, which is invoked by copyFromPod (line 205) during the Cold Extract data dump workflow.
Root Cause
strings.HasPrefix(v, filepath.Clean(d)) does not append a trailing / to the directory prefix, causing a directory name prefix collision. If the destination is /home/user/extract-output and a tar entry is named ../extract-outputevil/pwned, the joined path /home/user/extract-outputevil/pwned passes the prefix check - it starts with /home/user/extract-output - even though it is entirely outside the intended directory.
Steps to Reproduce
- Deploy the monitoring stack with
ColdExtract: true. The OTEL Collector begins writing signal data (otel_traces,otel_metrics,otel_logs) to the shared PVC. - Place the PoC tar on the PVC. Any pod with write access to the
ReadWriteManyPVC (or the compromised OTEL Collector itself) copies apoc-path-traversal.tarinto the/data/collectormount path. The archive contains three real-looking OTLP telemetry files alongside two crafted entries with path-traversal names. - Run the extractor against the namespace:
extractor \
--namespace monitoring \
--pvc-name <signals-pvc-name> \
--directory /home/user/extract-output- Observe the bypass.
untarprocesses the tar stream. For the malicious entries:
// entry name: ../extract-outputevil/poc-proof.txt
filepath.Join("/home/user/extract-output", "../extract-outputevil/poc-proof.txt")
=> "/home/user/extract-outputevil/poc-proof.txt"
strings.HasPrefix("/home/user/extract-outputevil/poc-proof.txt",
"/home/user/extract-output")
=> true // BUG: prefix collision; file lands OUTSIDE target dirBoth malicious entries are written outside /home/user/extract-output/. The three legitimate OTLP files land correctly inside it.
Impact
Successful exploitation gives an attacker arbitrary file write on the machine running the extractor. Real-world primitives include:
- Overwriting
~/.bashrc/~/.zshrc/~/.profilefor RCE on next shell login - Appending to
~/.ssh/authorized_keysfor persistent SSH backdoor - Dropping a malicious entry into
~/.kube/configto hijack cluster access - Writing crontab entries for persistent scheduled execution
The attack surface is widened by the default ReadWriteMany PVC access mode, which means any pod in the cluster with the PVC mounted can inject the payload - not just the OTEL Collector itself.
AnalysisAI
Path traversal in the extractor CLI tool and extract.DumpOTelCollector library function allows attackers to write files outside the intended extraction directory by exploiting an incomplete path validation check in the sanitizeArchivePath function. A maliciously crafted tar archive can bypass the prefix check and place arbitrary files on the system when processed. A patch is available to address the missing trailing path separator validation.
Technical ContextAI
Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.
RemediationAI
A vendor patch is available — apply it immediately. Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-f7cq-gvh6-qr25