fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1918181]
When export subdirectory of a filesystem, enable subtree_check option of the NFS server for preventing possibility of accessing outside of this export.
This flaw is rated as having Moderate impact because of the attack limitation: the user can gain more access than expected only inside NFS root mount point if already have permissions for the access to this NFS sub-folder.
Also this is a known limitation of NFSv3 and there is a known and documented configuration option to avoid this. As such, this is more of an hardening rather than security issue.