Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yNTZxLXZ2M2MtNmc5Y80WnQ
Improper sanitization of delegated role names
Impact
The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system.
AWS would like to thank https://github.com/jku for reporting this issue.
Patches
A fix is available in version 0.12.0.
Workarounds
No workarounds to this issue are known.
References
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
Permalink: https://github.com/advisories/GHSA-r56q-vv3c-6g9cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNTZxLXZ2M2MtNmc5Y80WnQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Identifiers: GHSA-r56q-vv3c-6g9c, CVE-2021-41150
References:
- https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c
- https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
- https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a
- https://nvd.nist.gov/vuln/detail/CVE-2021-41150
- https://github.com/advisories/GHSA-r56q-vv3c-6g9c
Blast Radius: 14.0
Affected Packages
cargo:tough
Dependent packages: 4Dependent repositories: 51
Downloads: 783,349 total
Affected Version Ranges: < 0.12.0
Fixed in: 0.12.0
All affected versions: 0.0.0, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3
All unaffected versions: 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1