Skip to content

Path traversal mitigation bypass in OctoRPKI

High severity GitHub Reviewed Published Jun 23, 2022 in cloudflare/cfrpki • Updated Oct 2, 2023

Package

gomod github.com/cloudflare/cfrpki (Go)

Affected versions

< 1.4.3

Patched versions

1.4.3

Description

Impact

The existing URI path filters in OctoRPKI (version < 1.4.3) mitigating Path traversal vulnerability could be bypassed by an attacker. In case a malicious TAL file is parsed, it was possible to write files outside the base cache folder.

Specific Go Packages Affected

github.com/cloudflare/cfrpki/cmd/octorpki

Patches

The issue was fixed in version 1.4.3

References

CVE-2021-3907

References

@mskowroncf mskowroncf published to cloudflare/cfrpki Jun 23, 2022
Published to the GitHub Advisory Database Jun 25, 2022
Reviewed Jun 25, 2022
Last updated Oct 2, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-3jhm-87m6-x959

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.