Описание
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-apps/jammy | not-affected | 1.4.2-1 |
| hirsute | ignored | end of life |
| impish | ignored | end of life |
| jammy | not-affected | 1.4.2-1 |
| kinetic | ignored | end of life, was needs-triage |
| lunar | ignored | end of life, was needs-triage |
| mantic | ignored | end of life, was needs-triage |
| noble | DNE | |
| questing | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 1.6.6-1build1 |
| esm-apps/focal | needed | |
| esm-apps/jammy | not-affected | 1.5.3-1build1 |
| esm-apps/noble | not-affected | 1.6.1-1ubuntu0.1~esm2 |
| focal | ignored | end of standard support, was needs-triage |
| impish | ignored | end of life |
| jammy | not-affected | 1.5.3-1build1 |
| kinetic | ignored | end of life |
| lunar | ignored | end of life |
| mantic | ignored | end of life |
Показывать по
EPSS
7.5 High
CVSS2
7.4 High
CVSS3
Связанные уязвимости
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
OctoRPKI does not escape a URI with a filename containing "..", this a ...
EPSS
7.5 High
CVSS2
7.4 High
CVSS3