Vulnerability-Lookup

CVE-2026-32771 (GCVE-0-2026-32771)

Vulnerability from cvelistv5 – Published: 2026-03-20 00:29 – Updated: 2026-03-20 16:45

Title

Monitoring is vulnerable to Archive Slip due to missing checks in sanitization

Summary

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.

Severity ?

8.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ctfer-io/monitoring/security/a…	x_refsource_CONFIRM
	https://github.com/ctfer-io/monitoring/commit/269…	x_refsource_MISC
	https://security.snyk.io/research/zip-slip-vulner…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ctfer-io	monitoring	Affected: < 0.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32771",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T16:45:12.356945Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T16:45:32.747Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "monitoring",
          "vendor": "ctfer-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T00:29:23.804Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25"
        },
        {
          "name": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a"
        },
        {
          "name": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title"
        }
      ],
      "source": {
        "advisory": "GHSA-f7cq-gvh6-qr25",
        "discovery": "UNKNOWN"
      },
      "title": "Monitoring is vulnerable to Archive Slip due to missing checks in sanitization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32771",
    "datePublished": "2026-03-20T00:29:23.804Z",
    "dateReserved": "2026-03-13T18:53:03.534Z",
    "dateUpdated": "2026-03-20T16:45:32.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32771",
      "date": "2026-04-24",
      "epss": "0.0003",
      "percentile": "0.08515"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32771\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T01:15:55.940\",\"lastModified\":\"2026-04-16T13:28:34.990\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.\"},{\"lang\":\"es\",\"value\":\"El componente de monitoreo de CTFer.io se encarga de la recolecci\u00f3n, procesamiento y almacenamiento de varias se\u00f1ales (es decir, registros, m\u00e9tricas y trazas distribuidas). En versiones anteriores a la 0.2.2, la funci\u00f3n sanitizeArchivePath en pkg/extract/extract.go (l\u00edneas 248\u2013254) es vulnerable a salto de ruta debido a la falta de un separador de ruta final en la verificaci\u00f3n strings.HasPrefix. El extractor permite escrituras de archivos arbitrarias (por ejemplo, sobrescribir configuraciones de shell, claves SSH, kubeconfig o crontabs), lo que permite RCE y puertas traseras persistentes. La superficie de ataque se amplifica a\u00fan m\u00e1s por el modo de acceso predeterminado ReadWriteMany de PVC, que permite a cualquier pod en el cl\u00faster inyectar una carga \u00fatil maliciosa. Este problema ha sido solucionado en la versi\u00f3n 0.2.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ctfer:monitoring:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.2.2\",\"matchCriteriaId\":\"69EE5432-4A5D-4B8F-8D6F-9A5111DFD7B8\"}]}]}],\"references\":[{\"url\":\"https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32771\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T16:45:12.356945Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T16:45:26.064Z\"}}], \"cna\": {\"title\": \"Monitoring is vulnerable to Archive Slip due to missing checks in sanitization\", \"source\": {\"advisory\": \"GHSA-f7cq-gvh6-qr25\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ctfer-io\", \"product\": \"monitoring\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25\", \"name\": \"https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a\", \"name\": \"https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title\", \"name\": \"https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T00:29:23.804Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32771\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T16:45:32.747Z\", \"dateReserved\": \"2026-03-13T18:53:03.534Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T00:29:23.804Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-F7CQ-GVH6-QR25

Vulnerability from github – Published: 2026-03-16 20:46 – Updated: 2026-03-20 21:18

Summary

Monitoring is vulnerable to Archive Slip due to missing checks in sanitization

Details

The sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI tool or the extract.DumpOTelCollector library function.

Vulnerable Code

File: pkg/extract/extract.go, lines 248–254

func sanitizeArchivePath(d, t string) (v string, err error) {
    v = filepath.Join(d, t)
    if strings.HasPrefix(v, filepath.Clean(d)) {   // ← missing trailing separator
        return v, nil
    }
    return "", fmt.Errorf("filepath is tainted: %s", t)
}

The function is called at line 219 inside untar, which is invoked by copyFromPod (line 205) during the Cold Extract data dump workflow.

Root Cause

strings.HasPrefix(v, filepath.Clean(d)) does not append a trailing / to the directory prefix, causing a directory name prefix collision. If the destination is /home/user/extract-output and a tar entry is named ../extract-outputevil/pwned, the joined path /home/user/extract-outputevil/pwned passes the prefix check — it starts with /home/user/extract-output — even though it is entirely outside the intended directory.

Steps to Reproduce

Deploy the monitoring stack with ColdExtract: true. The OTEL Collector begins writing signal data (otel_traces, otel_metrics, otel_logs) to the shared PVC.
Place the PoC tar on the PVC. Any pod with write access to the ReadWriteMany PVC (or the compromised OTEL Collector itself) copies a poc-path-traversal.tar into the /data/collector mount path. The archive contains three real-looking OTLP telemetry files alongside two crafted entries with path-traversal names.
Run the extractor against the namespace:

extractor \ --namespace monitoring \ --pvc-name <signals-pvc-name> \ --directory /home/user/extract-output

Observe the bypass. untar processes the tar stream. For the malicious entries:

``` // entry name: ../extract-outputevil/poc-proof.txt filepath.Join("/home/user/extract-output", "../extract-outputevil/poc-proof.txt") => "/home/user/extract-outputevil/poc-proof.txt"

strings.HasPrefix("/home/user/extract-outputevil/poc-proof.txt", "/home/user/extract-output") => true // BUG: prefix collision; file lands OUTSIDE target dir ```

Both malicious entries are written outside /home/user/extract-output/. The three legitimate OTLP files land correctly inside it.

Impact

Successful exploitation gives an attacker arbitrary file write on the machine running the extractor. Real-world primitives include:

Overwriting ~/.bashrc / ~/.zshrc / ~/.profile for RCE on next shell login
Appending to ~/.ssh/authorized_keys for persistent SSH backdoor
Dropping a malicious entry into ~/.kube/config to hijack cluster access
Writing crontab entries for persistent scheduled execution

The attack surface is widened by the default ReadWriteMany PVC access mode, which means any pod in the cluster with the PVC mounted can inject the payload — not just the OTEL Collector itself.

Severity ?

8.3 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ctfer-io/monitoring"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T20:46:48Z",
    "nvd_published_at": "2026-03-20T01:15:55Z",
    "severity": "HIGH"
  },
  "details": "The `sanitizeArchivePath` function in `pkg/extract/extract.go` (lines 248\u2013254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory when using the `extractor` CLI tool or the `extract.DumpOTelCollector` library function.\n\n## Vulnerable Code\n\nFile: `pkg/extract/extract.go`, lines 248\u2013254\n\n```go\nfunc sanitizeArchivePath(d, t string) (v string, err error) {\n    v = filepath.Join(d, t)\n    if strings.HasPrefix(v, filepath.Clean(d)) {   // \u2190 missing trailing separator\n        return v, nil\n    }\n    return \"\", fmt.Errorf(\"filepath is tainted: %s\", t)\n}\n```\n\nThe function is called at line 219 inside `untar`, which is invoked by `copyFromPod` (line 205) during the Cold Extract data dump workflow.\n\n## Root Cause\n\n`strings.HasPrefix(v, filepath.Clean(d))` does not append a trailing `/` to the directory prefix, causing a **directory name prefix collision**. If the destination is `/home/user/extract-output` and a tar entry is named `../extract-outputevil/pwned`, the joined path `/home/user/extract-outputevil/pwned` passes the prefix check \u2014 it starts with `/home/user/extract-output` \u2014 even though it is entirely outside the intended directory.\n\n## Steps to Reproduce\n\n1. **Deploy the monitoring stack** with `ColdExtract: true`. The OTEL Collector begins writing signal data (`otel_traces`, `otel_metrics`, `otel_logs`) to the shared PVC.\n\n2. **Place the PoC tar on the PVC.** Any pod with write access to the `ReadWriteMany` PVC (or the compromised OTEL Collector itself) copies a `poc-path-traversal.tar` into the `/data/collector` mount path. The archive contains three real-looking OTLP telemetry files alongside two crafted entries with path-traversal names.\n\n3. **Run the extractor against the namespace:**\n\n   ```\n   extractor \\\n     --namespace monitoring \\\n     --pvc-name \u003csignals-pvc-name\u003e \\\n     --directory /home/user/extract-output\n   ```\n\n4. **Observe the bypass.** `untar` processes the tar stream. For the malicious entries:\n\n   ```\n   // entry name: ../extract-outputevil/poc-proof.txt\n   filepath.Join(\"/home/user/extract-output\", \"../extract-outputevil/poc-proof.txt\")\n     =\u003e \"/home/user/extract-outputevil/poc-proof.txt\"\n\n   strings.HasPrefix(\"/home/user/extract-outputevil/poc-proof.txt\",\n                     \"/home/user/extract-output\")\n     =\u003e true   // BUG: prefix collision; file lands OUTSIDE target dir\n   ```\n\n   Both malicious entries are written outside `/home/user/extract-output/`. The three legitimate OTLP files land correctly inside it.\n\n## Impact\n\nSuccessful exploitation gives an attacker arbitrary file write on the machine running the extractor. Real-world primitives include:\n\n- Overwriting `~/.bashrc` / `~/.zshrc` / `~/.profile` for RCE on next shell login\n- Appending to `~/.ssh/authorized_keys` for persistent SSH backdoor\n- Dropping a malicious entry into `~/.kube/config` to hijack cluster access\n- Writing crontab entries for persistent scheduled execution\n\nThe attack surface is widened by the default `ReadWriteMany` PVC access mode, which means any pod in the cluster with the PVC mounted can inject the payload \u2014 not just the OTEL Collector itself.",
  "id": "GHSA-f7cq-gvh6-qr25",
  "modified": "2026-03-20T21:18:29Z",
  "published": "2026-03-16T20:46:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32771"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ctfer-io/monitoring"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Monitoring is vulnerable to Archive Slip due to missing checks in sanitization"
}

FKIE_CVE-2026-32771

Vulnerability from fkie_nvd - Published: 2026-03-20 01:15 - Updated: 2026-04-16 13:28

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a	Patch
security-advisories@github.com	https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25	Exploit, Vendor Advisory
security-advisories@github.com	https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	ctfer	monitoring	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ctfer:monitoring:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "69EE5432-4A5D-4B8F-8D6F-9A5111DFD7B8",
              "versionEndExcluding": "0.2.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."
    },
    {
      "lang": "es",
      "value": "El componente de monitoreo de CTFer.io se encarga de la recolecci\u00f3n, procesamiento y almacenamiento de varias se\u00f1ales (es decir, registros, m\u00e9tricas y trazas distribuidas). En versiones anteriores a la 0.2.2, la funci\u00f3n sanitizeArchivePath en pkg/extract/extract.go (l\u00edneas 248\u2013254) es vulnerable a salto de ruta debido a la falta de un separador de ruta final en la verificaci\u00f3n strings.HasPrefix. El extractor permite escrituras de archivos arbitrarias (por ejemplo, sobrescribir configuraciones de shell, claves SSH, kubeconfig o crontabs), lo que permite RCE y puertas traseras persistentes. La superficie de ataque se amplifica a\u00fan m\u00e1s por el modo de acceso predeterminado ReadWriteMany de PVC, que permite a cualquier pod en el cl\u00faster inyectar una carga \u00fatil maliciosa. Este problema ha sido solucionado en la versi\u00f3n 0.2.2."
    }
  ],
  "id": "CVE-2026-32771",
  "lastModified": "2026-04-16T13:28:34.990",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T01:15:55.940",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32771 (GCVE-0-2026-32771)

GHSA-F7CQ-GVH6-QR25

Vulnerable Code

Root Cause

Steps to Reproduce

Impact

FKIE_CVE-2026-32771

Tags

Sightings

Nomenclature