Vulnerability Report: GO-2022-0248

CVE-2021-3907, GHSA-cqh2-vc2f-q4fh, and 1 more
Affects: github.com/cloudflare/cfrpki
Published: Jul 15, 2022
Modified: Apr 26, 2024

Manifest path extraction is vulnerable to directory traversal attacks. The ExtractPathManifest function permits file paths containing relative directory components (".."), permitting files to reference arbitrary locations on the filesystem.

Affected Packages

Path

Versions

Symbols
github.com/cloudflare/cfrpki/validator/pki

before v1.4.4
5 affected symbols

Aliases

CVE-2021-3907
GHSA-cqh2-vc2f-q4fh
GHSA-8459-6rc9-8vf8

References

https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd
https://vuln.go.dev/ID/GO-2022-0248.json

Credits

Koen van Hove

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL