PatchSiren cyber security CVE debrief

CVE-2021-3806 Tubitak CVE debrief

CVE-2021-3806 affects Pardus Software Center from TÜBİTAK/Pardus and is described by NVD as a path traversal issue in the extractArchive function. The issue can let an attacker influence file extraction and write files on the system, with the supplied summary noting a same-network man-in-the-middle scenario. NVD rates the issue CVSS 3.1 5.3 (Medium).

Vendor: Tubitak
Product: Pardus Software Center
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2021-09-18
Original CVE updated: 2026-05-18
Advisory published: 2021-09-18
Advisory updated: 2026-05-18

Who should care

Administrators and users running Pardus Software Center, especially systems on affected versions before 0.1.0 and environments that install packages or process archives from untrusted network paths.

Technical summary

NVD maps the vulnerable CPE to tubitak:pardus_software_center with versionEndExcluding 0.1.0 and classifies the weakness as CWE-22 (path traversal). The CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, indicating a user interaction is required and the impact is limited but still includes confidentiality, integrity, and availability effects. The record and supplied description indicate the flaw is in extractArchive, where traversal during archive extraction can result in unintended file writes.

Defensive priority

Medium priority: remediate affected Pardus Software Center installations promptly, with highest attention on systems that routinely process untrusted archives or rely on software delivery over potentially hostile network paths.

Recommended defensive actions

Check whether Pardus Software Center is installed and confirm whether the version is earlier than 0.1.0.
Upgrade to a fixed vendor release as soon as one is available; if no patched version is available, reduce exposure or remove the software where practical.
Treat archive extraction as a sensitive operation: only process trusted archives and review any workflow that accepts externally supplied package content.
Monitor for unexpected file creation or modification after archive handling, especially in software installation paths.
Review network delivery paths used for package retrieval and reduce opportunities for man-in-the-middle manipulation where possible.

Evidence notes

This debrief is based on the supplied CVE metadata and NVD record. The source corpus identifies CVE-2021-3806 as CWE-22 path traversal in Pardus Software Center’s extractArchive function, with CVSS v3.1 5.3 and vector AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The NVD CPE entry marks tubitak:pardus_software_center as affected before 0.1.0. References in the corpus include the official CVE and NVD records plus USOM and other advisories; this brief does not rely on unsupported exploit details.

Official resources

CVE-2021-3806 CVE record
CVE.org
CVE-2021-3806 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

CVE-2021-3806 was published on 2021-09-18 and later modified in the NVD record on 2026-05-18. This brief uses the CVE publication date for timing context; the later modified timestamp reflects record maintenance only.