CVE-2021-3907: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

November 11, 2021 (updated February 1, 2023)

OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.

References

github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh
nvd.nist.gov/vuln/detail/CVE-2021-3907

Detect and mitigate CVE-2021-3907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →