data/reports/GO-2022-0248.yaml - vulndb - Git at Google

 modules:
   - module: github.com/cloudflare/cfrpki
     versions:
       - fixed: 1.4.3
     vulnerable_at: 1.4.2
     packages:
       - package: github.com/cloudflare/cfrpki/validator/pki
         symbols:
           - ExtractPathManifest
         derived_symbols:
           - SimpleManager.Explore
           - SimpleManager.ExploreAdd
           - Validator.AddManifest
           - Validator.AddResource
 summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
 description: |
     Manifest path extraction is vulnerable to directory traversal attacks.

     The ExtractPathManifest function permits file paths containing relative
     directory components (".."), permitting files to reference arbitrary
     locations on the filesystem.
 published: 2022-07-15T23:07:18Z
 cves:
   - CVE-2021-3907
 ghsas:
   - GHSA-cqh2-vc2f-q4fh
 credits:
   - Koen van Hove
 references:
   - fix: https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
	modules:
	- module: github.com/cloudflare/cfrpki
	versions:
	- fixed: 1.4.3
	vulnerable_at: 1.4.2
	packages:
	- package: github.com/cloudflare/cfrpki/validator/pki
	symbols:
	- ExtractPathManifest
	derived_symbols:
	- SimpleManager.Explore
	- SimpleManager.ExploreAdd
	- Validator.AddManifest
	- Validator.AddResource
	summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
	description: \|
	Manifest path extraction is vulnerable to directory traversal attacks.

	The ExtractPathManifest function permits file paths containing relative
	directory components (".."), permitting files to reference arbitrary
	locations on the filesystem.
	published: 2022-07-15T23:07:18Z
	cves:
	- CVE-2021-3907
	ghsas:
	- GHSA-cqh2-vc2f-q4fh
	credits:
	- Koen van Hove
	references:
	- fix: https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284