CVE-2021-3907: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
(updated )
OctoRPKI does not escape a URI with a filename containing “..”, this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
References
- github.com/advisories/GHSA-cqh2-vc2f-q4fh
- github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
- github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959
- github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh
- nvd.nist.gov/vuln/detail/CVE-2021-3907
- pkg.go.dev/vuln/GO-2022-0248
- www.debian.org/security/2021/dsa-5033
- www.debian.org/security/2022/dsa-5041
Detect and mitigate CVE-2021-3907 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →