Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NDU5LTZyYzktOHZmOM0rtA
Path traversal in github.com/cloudflare/cfrpki/cmd/octorpki
Impact
In the case that a malicious TAL file is parsed pointing to a repository that provides a malicious ROA file which octorpki downloads, it is possible to bypass the current directory traversal mitigation to allow writing outside of the current directory.
Patches
No patch release has been made
Permalink: https://github.com/advisories/GHSA-8459-6rc9-8vf8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NDU5LTZyYzktOHZmOM0rtA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 years ago
Updated: 6 months ago
Identifiers: GHSA-8459-6rc9-8vf8
References:
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8459-6rc9-8vf8
- https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd
- https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
- https://github.com/cloudflare/cfrpki/releases/tag/v1.4.3
- https://github.com/advisories/GHSA-8459-6rc9-8vf8
Blast Radius: 0.0
Affected Packages
go:github.com/cloudflare/cfrpki
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 1.4.2
Fixed in: 1.4.3
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.4.2
All unaffected versions: 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10