CVE-2021-41150
Summary
| CVE | CVE-2021-41150 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-10-19 20:15:00 UTC |
| Updated | 2021-10-26 17:04:00 UTC |
| Description | Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known. |
Risk And Classification
Problem Types: CWE-22
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Improper sanitization of delegated role names · Advisory · awslabs/tough · GitHub | CONFIRM | github.com | |
| Client metadata path-traversal flaw can result in files written outside of metadata store · Advisory · theupdateframework/python-tuf · GitHub | MISC | github.com | |
| Merge pull request from GHSA-x3r5-q6mj-m485 · awslabs/tough@1809b9b · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.