{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32771", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.534Z", "datePublished": "2026-03-20T00:29:23.804Z", "dateUpdated": "2026-03-20T16:45:32.747Z"}, "containers": {"cna": {"title": "Monitoring is vulnerable to Archive Slip due to missing checks in sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25"}, {"name": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a", "tags": ["x_refsource_MISC"], "url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a"}, {"name": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title", "tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title"}], "affected": [{"vendor": "ctfer-io", "product": "monitoring", "versions": [{"version": "< 0.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:29:23.804Z"}, "descriptions": [{"lang": "en", "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."}], "source": {"advisory": "GHSA-f7cq-gvh6-qr25", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:45:12.356945Z", "id": "CVE-2026-32771", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:45:32.747Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T16:45:12.356945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:45:26.064Z"}}], "cna": {"title": "Monitoring is vulnerable to Archive Slip due to missing checks in sanitization", "source": {"advisory": "GHSA-f7cq-gvh6-qr25", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ctfer-io", "product": "monitoring", "versions": [{"status": "affected", "version": "< 0.2.2"}]}], "references": [{"url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25", "name": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a", "name": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a", "tags": ["x_refsource_MISC"]}, {"url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title", "name": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:29:23.804Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32771", "state": "PUBLISHED", "dateUpdated": "2026-03-20T16:45:32.747Z", "dateReserved": "2026-03-13T18:53:03.534Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T00:29:23.804Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ctfer:monitoring:*:*:*:*:*:go:*:*", "matchCriteriaId": "69EE5432-4A5D-4B8F-8D6F-9A5111DFD7B8", "versionEndExcluding": "0.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248\u2013254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2."}, {"lang": "es", "value": "El componente de monitoreo de CTFer.io se encarga de la recolecci\u00f3n, procesamiento y almacenamiento de varias se\u00f1ales (es decir, registros, m\u00e9tricas y trazas distribuidas). En versiones anteriores a la 0.2.2, la funci\u00f3n sanitizeArchivePath en pkg/extract/extract.go (l\u00edneas 248\u2013254) es vulnerable a salto de ruta debido a la falta de un separador de ruta final en la verificaci\u00f3n strings.HasPrefix. El extractor permite escrituras de archivos arbitrarias (por ejemplo, sobrescribir configuraciones de shell, claves SSH, kubeconfig o crontabs), lo que permite RCE y puertas traseras persistentes. La superficie de ataque se amplifica a\u00fan m\u00e1s por el modo de acceso predeterminado ReadWriteMany de PVC, que permite a cualquier pod en el cl\u00faster inyectar una carga \u00fatil maliciosa. Este problema ha sido solucionado en la versi\u00f3n 0.2.2."}], "id": "CVE-2026-32771", "lastModified": "2026-04-16T13:28:34.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T01:15:55.940", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "monitoring", "source": "cna", "vendor": "ctfer-io"}, "product": "monitoring", "vendor": "ctfer-io"}], "analysis": {"en": {"generated_at": "2026-03-20T02:21:14.351921+00:00", "value": {"mitigation_remediation": ["Upgrade ctfer-io:monitoring to version 0.2.2 or later.", "Ensure that any PVCs used by monitoring are restricted to ReadWriteOnce or bound to non\u2011cluster\u2011wide storage if the supply of upgrades is delayed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected only the ctfer-io:monitoring product. All releases before version\u00a00.2.2 are impacted, including 0.2.1 and earlier. No specific subversion list is available, but any build prior to 0.2.2 is vulnerable.", "description_and_impact": "The CTFer.io Monitoring component suffers from an Archive Slip (path traversal) due to a missing trailing path separator in the sanitizeArchivePath function. The flaw allows an attacker to craft an extraction that writes arbitrary files, potentially overwriting critical system files such as SSH keys, kubeconfig, shell configs, or crontabs. This gives the attacker a path to remote code execution and persistent backdoors in the cluster environment. The vulnerability is classified as CWE-22.", "risk_and_exploitability": "The vulnerability has a CVSS v3.1 score of 8.8, indicating high severity. EPSS data is not available, and the flaw is not currently listed in the CISA KEV catalog. Exploitation requires a pod with the default ReadWriteMany PVC access mode, allowing injection of malicious payloads. Attackers leveraging any pod in the cluster can exploit the flaw, and the lack of checks in the extraction process means the path traversal can be performed without additional privilege escalation."}}}}, "created": "2026-03-20T08:54:09.135971+00:00", "updated": "2026-03-20T10:43:36.095887+00:00", "vendors": ["ctfer-io", "ctfer-io$PRODUCT$monitoring"]}