CVE-2021-41149: Improper sanitization of target names

October 19, 2021

The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system.

AWS would like to thank https://github.com/jku for reporting this issue.

References

github.com/advisories/GHSA-x3r5-q6mj-m485
github.com/awslabs/tough
github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a
github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485
nvd.nist.gov/vuln/detail/CVE-2021-41149

Detect and mitigate CVE-2021-41149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →