GHSA-r56q-vv3c-6g9c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r56q-vv3c-6g9c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-r56q-vv3c-6g9c/GHSA-r56q-vv3c-6g9c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r56q-vv3c-6g9c
- Aliases
- Published
- 2021-10-19T20:16:26Z
- Modified
- 2023-11-08T04:06:52.291043Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Improper sanitization of delegated role names
- Details
-
Impact
The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system.
AWS would like to thank https://github.com/jku for reporting this issue.
Patches
A fix is available in version 0.12.0.
Workarounds
No workarounds to this issue are known.
References
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
- Database specific
{ "nvd_published_at": "2021-10-19T20:15:00Z", "github_reviewed_at": "2021-10-19T18:06:09Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-22" ] }- References
-
- https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c
- https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
- https://nvd.nist.gov/vuln/detail/CVE-2021-41150
- https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a
- https://github.com/awslabs/tough
Affected packages
crates.io / tough
Package
- Name
- tough
- View open source insights on deps.dev
- Purl
- pkg:cargo/tough