CVE-2021-41149

Опубликовано: 19 окт. 2021

Источник: nvd

CVSS3: 8.2

CVSS3: 8.1

CVSS2: 8.5

EPSS Низкий

Описание

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.

Ссылки

https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a
Patch
Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485
Third Party Advisory
https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a
Patch
Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*

Версия до 0.12.0 (исключая)

EPSS

Процентиль: 74%

0.00851

Низкий

8.2 High

CVSS3

8.1 High

CVSS3

8.5 High

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-x3r5-q6mj-m485

CVSS3: 8.2

github

больше 4 лет назад

Improper sanitization of target names

EPSS

Процентиль: 74%

0.00851

Низкий

8.2 High

CVSS3

8.1 High

CVSS3

8.5 High

CVSS2

Дефекты

CWE-22