Описание
Path traversal in github.com/cloudflare/cfrpki/cmd/octorpki
Impact
In the case that a malicious TAL file is parsed pointing to a repository that provides a malicious ROA file which octorpki downloads, it is possible to bypass the current directory traversal mitigation to allow writing outside of the current directory.
Patches
No patch release has been made
Ссылки
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8459-6rc9-8vf8
- https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd
- https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
- https://github.com/cloudflare/cfrpki/releases/tag/v1.4.3
Пакеты
Наименование
github.com/cloudflare/cfrpki
go
Затронутые версииВерсия исправления
<= 1.4.2
1.4.3
Дефекты
CWE-22
Дефекты
CWE-22