{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32771", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.534Z", "datePublished": "2026-03-20T00:29:23.804Z", "dateUpdated": "2026-03-20T16:45:32.747Z"}, "containers": {"cna": {"title": "Monitoring is vulnerable to Archive Slip due to missing checks in sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25"}, {"name": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a", "tags": ["x_refsource_MISC"], "url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a"}, {"name": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title", "tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title"}], "affected": [{"vendor": "ctfer-io", "product": "monitoring", "versions": [{"version": "< 0.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:29:23.804Z"}, "descriptions": [{"lang": "en", "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."}], "source": {"advisory": "GHSA-f7cq-gvh6-qr25", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:45:12.356945Z", "id": "CVE-2026-32771", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:45:32.747Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T16:45:12.356945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:45:26.064Z"}}], "cna": {"title": "Monitoring is vulnerable to Archive Slip due to missing checks in sanitization", "source": {"advisory": "GHSA-f7cq-gvh6-qr25", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ctfer-io", "product": "monitoring", "versions": [{"status": "affected", "version": "< 0.2.2"}]}], "references": [{"url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25", "name": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a", "name": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a", "tags": ["x_refsource_MISC"]}, {"url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title", "name": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:29:23.804Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32771", "state": "PUBLISHED", "dateUpdated": "2026-03-20T16:45:32.747Z", "dateReserved": "2026-03-13T18:53:03.534Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T00:29:23.804Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."}], "id": "CVE-2026-32771", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T01:15:55.940", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a"}, {"source": "security-advisories@github.com", "url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25"}, {"source": "security-advisories@github.com", "url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "monitoring", "source": "cna", "vendor": "ctfer-io"}, "product": "monitoring", "vendor": "ctfer-io"}], "analysis": {"en": {"generated_at": "2026-03-20T02:21:14.351921+00:00", "value": {"mitigation_remediation": ["Upgrade ctfer-io:monitoring to version 0.2.2 or later.", "Ensure that any PVCs used by monitoring are restricted to ReadWriteOnce or bound to non\u2011cluster\u2011wide storage if the supply of upgrades is delayed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected only the ctfer-io:monitoring product. All releases before version\u00a00.2.2 are impacted, including 0.2.1 and earlier. No specific subversion list is available, but any build prior to 0.2.2 is vulnerable.", "description_and_impact": "The CTFer.io Monitoring component suffers from an Archive Slip (path traversal) due to a missing trailing path separator in the sanitizeArchivePath function. The flaw allows an attacker to craft an extraction that writes arbitrary files, potentially overwriting critical system files such as SSH keys, kubeconfig, shell configs, or crontabs. This gives the attacker a path to remote code execution and persistent backdoors in the cluster environment. The vulnerability is classified as CWE-22.", "risk_and_exploitability": "The vulnerability has a CVSS v3.1 score of 8.8, indicating high severity. EPSS data is not available, and the flaw is not currently listed in the CISA KEV catalog. Exploitation requires a pod with the default ReadWriteMany PVC access mode, allowing injection of malicious payloads. Attackers leveraging any pod in the cluster can exploit the flaw, and the lack of checks in the extraction process means the path traversal can be performed without additional privilege escalation."}}}}, "created": "2026-03-20T08:54:09.135971+00:00", "updated": "2026-03-20T10:43:36.095887+00:00", "vendors": ["ctfer-io", "ctfer-io$PRODUCT$monitoring"]}