logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-41131 tuf

Package

Manager: pip
Name: tuf
Vulnerable Version: >=0 <0.19.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N

EPSS: 0.00644 pctl0.69743

Details

Client metadata path-traversal ### Impact In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to `get_one_valid_targetinfo()`. It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie `../../name.json`). The impact is mitigated by a few facts: * It only affects implementations that allow arbitrary rolename selection for delegated targets metadata * The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata * The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json. ### Patches A fix is available in version 0.19 or newer. ### Workarounds None that do not require code changes. Clients can restrict the allowed character set for rolenames, or they can store metadata in files named in a way that is not vulnerable: neither of these approaches is possible without modifying python-tuf. ### References - [The issue where this was discovered](https://github.com/theupdateframework/python-tuf/issues/1527) - [Proof of Concept demonstrating the flaw](https://github.com/jku/path-traversal-poc) ### For more information If you have any questions or comments about this advisory: * Open an issue in [python-tuf](https://github.com/theupdateframework/python-tuf/issues) * Contact the maintainers by email or Slack

Metadata

Created: 2021-10-19T20:14:36Z
Modified: 2024-11-18T22:45:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-wjw6-2cqr-j4qr/GHSA-wjw6-2cqr-j4qr.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-wjw6-2cqr-j4qr
Finding: F063
Auto approve: 1