Vulnerability Report: GO-2022-0248
- CVE-2021-3907, GHSA-cqh2-vc2f-q4fh, and 1 more
- Affects: github.com/cloudflare/cfrpki
- Published: Jul 15, 2022
- Modified: Apr 26, 2024
Manifest path extraction is vulnerable to directory traversal attacks. The ExtractPathManifest function permits file paths containing relative directory components (".."), permitting files to reference arbitrary locations on the filesystem.
Affected Packages
-
PathVersionsSymbols
-
before v1.4.4
Aliases
References
- https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
- https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd
- https://vuln.go.dev/ID/GO-2022-0248.json
Credits
- Koen van Hove
Feedback
See anything missing or incorrect?
Suggest an edit to this report.