CVE-2021-41149 – tough

Package

Manager: cargo
Name: tough
Vulnerable Version: >=0 <0.12.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00628 pctl0.69328

Details

Improper sanitization of target names ### Impact The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system. AWS would like to thank https://github.com/jku for reporting this issue. ### Patches A fix is available in version 0.12.0. ### Workarounds No workarounds to this issue are known.

Metadata

Created: 2021-10-19T20:16:15Z
Modified: 2021-10-19T18:04:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-x3r5-q6mj-m485/GHSA-x3r5-q6mj-m485.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-x3r5-q6mj-m485
Finding: F063
Auto approve: 1