Vulnerability Report: GO-2022-0248
- CVE-2021-3907, GHSA-cqh2-vc2f-q4fh, and 1 more
- Affects: github.com/cloudflare/cfrpki
- Published: Jul 15, 2022
- Modified: May 20, 2024
Manifest path extraction is vulnerable to directory traversal attacks. The ExtractPathManifest function permits file paths containing relative directory components (".."), permitting files to reference arbitrary locations on the filesystem.
Affected Packages
-
PathGo VersionsSymbols
-
before v1.4.4
Aliases
References
- https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
- https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd
- https://vuln.go.dev/ID/GO-2022-0248.json
Credits
- Koen van Hove
Feedback
See anything missing or incorrect?
Suggest an edit to this report.