Vulnerability Report: GO-2022-0248
- CVE-2021-3907, GHSA-cqh2-vc2f-q4fh, and 1 more
- Affects: github.com/cloudflare/cfrpki
- Published: Jul 15, 2022
- Modified: Nov 06, 2023
Manifest path extraction is vulnerable to directory traversal attacks. The ExtractPathManifest function permits file paths containing relative directory components (".."), permitting files to reference arbitrary locations on the filesystem.
Affected Packages
-
PathVersionsSymbols
-
before v1.4.4
Aliases
References
- https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
- https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd
- https://vuln.go.dev/ID/GO-2022-0248.json
Credits
- Koen van Hove
Feedback
See anything missing or incorrect?
Suggest an edit to this report.