Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zamhtLTg3bTYteDk1Oc4AAs_O
Path traversal mitigation bypass in OctoRPKI
Impact
The existing URI path filters in OctoRPKI (version < 1.4.3) mitigating Path traversal vulnerability could be bypassed by an attacker. In case a malicious TAL file is parsed, it was possible to write files outside the base cache folder.
Specific Go Packages Affected
github.com/cloudflare/cfrpki/cmd/octorpki
Patches
The issue was fixed in version 1.4.3
References
Permalink: https://github.com/advisories/GHSA-3jhm-87m6-x959JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zamhtLTg3bTYteDk1Oc4AAs_O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
Identifiers: GHSA-3jhm-87m6-x959
References:
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh
- https://nvd.nist.gov/vuln/detail/CVE-2021-3907
- https://github.com/cloudflare/cfrpki/releases/tag/v1.4.3
- https://github.com/advisories/GHSA-3jhm-87m6-x959
Blast Radius: 0.0
Affected Packages
go:github.com/cloudflare/cfrpki
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.4.3
Fixed in: 1.4.3
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.4.2
All unaffected versions: 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10