CVE-2021-41150

Опубликовано: 19 окт. 2021

Источник: nvd

CVSS3: 8.2

CVSS3: 6.5

CVSS2: 3.5

EPSS Низкий

Описание

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.

Ссылки

https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a
Patch
Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c
Third Party Advisory
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
Third Party Advisory
https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a
Patch
Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c
Third Party Advisory
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*

Версия до 0.12.0 (исключая)

EPSS

Процентиль: 66%

0.00524

Низкий

8.2 High

CVSS3

6.5 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-r56q-vv3c-6g9c

CVSS3: 8.2

github

больше 4 лет назад

Improper sanitization of delegated role names

EPSS

Процентиль: 66%

0.00524

Низкий

8.2 High

CVSS3

6.5 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-22