Skip to content
This repository was archived by the owner on Jun 9, 2024. It is now read-only.

Path traversal mitigation bypass in OctoRPKI

Moderate
mskowroncf published GHSA-3jhm-87m6-x959 Jun 23, 2022

Package

gomod github.com/cloudflare/cfrpki/cmd/octorpki (Go)

Affected versions

<1.4.3

Patched versions

1.4.3

Description

Impact

The existing URI path filters in OctoRPKI (version < 1.4.3) mitigating Path traversal vulnerability could be bypassed by an attacker. In case a malicious TAL file is parsed, it was possible to write files outside the base cache folder.

Patches

The issue was fixed in version 1.4.3

References

CVE-2021-3907

Severity

Moderate

CVE ID

CVE-2021-3907

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Credits