CVE-2021-3907

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-3907

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3907.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-3907

Aliases

Related

Published

2021-11-11T22:15:07Z

Modified

2024-09-18T03:15:45.622946Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.

References

Affected packages

Debian:11 / cfrpki

Package

Name: cfrpki
Purl: pkg:deb/debian/cfrpki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.2-1~deb11u1

Affected versions

1.*

1.2.2-1

1.3.0-1

1.4.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / cfrpki

Package

Name: cfrpki
Purl: pkg:deb/debian/cfrpki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / fort-validator

Package

Name: fort-validator
Purl: pkg:deb/debian/fort-validator?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.3-1~deb11u1

Affected versions

1.*

1.5.0-1

1.5.1-1

1.5.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / fort-validator

Package

Name: fort-validator
Purl: pkg:deb/debian/fort-validator?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / fort-validator

Package

Name: fort-validator
Purl: pkg:deb/debian/fort-validator?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/cloudflare/cfrpki

Affected ranges

Type: GIT
Repo: https://github.com/cloudflare/cfrpki
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a8db4e009ef217484598ba1fd1c595b54e0f6422

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

v1.*

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.2.0

v1.2.0-pre

v1.2.1

v1.2.2