Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14M3I1LXE2bWotbTQ4Nc0WnA

Improper sanitization of target names

Impact

The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system.

AWS would like to thank https://github.com/jku for reporting this issue.

Patches

A fix is available in version 0.12.0.

Workarounds

No workarounds to this issue are known.

Permalink: https://github.com/advisories/GHSA-x3r5-q6mj-m485
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14M3I1LXE2bWotbTQ4Nc0WnA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Identifiers: GHSA-x3r5-q6mj-m485, CVE-2021-41149
References: Repository: https://github.com/awslabs/tough
Blast Radius: 14.0

Affected Packages

cargo:tough
Dependent packages: 4
Dependent repositories: 51
Downloads: 776,362 total
Affected Version Ranges: < 0.12.0
Fixed in: 0.12.0
All affected versions: 0.0.0, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3
All unaffected versions: 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1