fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. Reference: https://patchwork.kernel.org/project/linux-nfs/patch/20210111210129.GA11652@fieldses.org/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1918181]
Mitigation: When export subdirectory of a filesystem, enable subtree_check option of the NFS server for preventing possibility of accessing outside of this export.
Statement: This flaw is rated as having Moderate impact because of the attack limitation: the user can gain more access than expected only inside NFS root mount point if already have permissions for the access to this NFS sub-folder. Also this is a known limitation of NFSv3 and there is a known and documented configuration option to avoid this. As such, this is more of an hardening rather than security issue.