GMS-2022-9572: Path traversal in github.com/cloudflare/cfrpki/cmd/octorpki

February 14, 2022 (updated November 9, 2023)

Impact

In the case that a malicious TAL file is parsed pointing to a repository that provides a malicious ROA file which octorpki downloads, it is possible to bypass the current directory traversal mitigation to allow writing outside of the current directory.

Patches

No patch release has been made

References

github.com/advisories/GHSA-8459-6rc9-8vf8
github.com/cloudflare/cfrpki/security/advisories/GHSA-8459-6rc9-8vf8

Detect and mitigate GMS-2022-9572 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →