GO-2022-0248

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0248

Import Source

https://vuln.go.dev/ID/GO-2022-0248.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0248

Aliases

Related

GHSA-3jhm-87m6-x959

Published

2022-07-15T23:07:18Z

Modified

2024-08-21T15:41:41.341758Z

Summary

Directory traversal in manifest path extraction in github.com/cloudflare/cfrpki

Details

Manifest path extraction is vulnerable to directory traversal attacks.

The ExtractPathManifest function permits file paths containing relative directory components (".."), permitting files to reference arbitrary locations on the filesystem.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0248"
}

References

Credits

- Koen van Hove

Affected packages

Go / github.com/cloudflare/cfrpki

Package

Name: github.com/cloudflare/cfrpki; View open source insights on deps.dev
Purl: pkg:golang/github.com/cloudflare/cfrpki

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.4

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/cloudflare/cfrpki/validator/pki",
            "symbols": [
                "ExtractPathManifest",
                "SimpleManager.Explore",
                "SimpleManager.ExploreAdd",
                "Validator.AddManifest",
                "Validator.AddResource"
            ]
        }
    ]
}