logo

Database

Lack of data validation - Path Traversal In tough

Description

Improper sanitization of target names

Impact

The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system.

AWS would like to thank https://github.com/jku for reporting this issue.

Patches

A fix is available in version 0.12.0.

Workarounds

No workarounds to this issue are known.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-411492. NVD-2021-411493. OSV-2021-411494. GHSA-x3r5-q6mj-m4855. GCVE-2021-41149

References

1. https://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m4852. https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.