High severityNVD Advisory· Published Nov 11, 2021· Updated Sep 17, 2024
Arbitrary filepath traversal via URI injection
CVE-2021-3907
Description
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cloudflare/cfrpkiGo | < 1.4.4 | 1.4.4 |
Affected products
1- Range: unspecified
Patches
2eb9cc4db7b7bNETDEV-4268: Fix octorpki path traversal vulnerability
2 files changed · +14 −7
cmd/octorpki/octorpki.go+4 −2 modified@@ -316,8 +316,10 @@ func (s *state) WriteRsyncFileOnDisk(path string, data []byte, withdraw bool) er if err != nil { log.Fatal(err) } - // GHSA-cqh2-vc2f-q4fh: Prevent parent directory writes outside of Basepath - fPath = strings.ReplaceAll(fPath, "../", "") + // GHSA-8459-6rc9-8vf8: Prevent parent directory writes outside of Basepath + if strings.Contains(fPath, "../") || strings.Contains(fPath, "..\\") { + return fmt.Errorf("Path %q contains illegal path element", fPath) + } f, err := os.Create(filepath.Join(s.Basepath, fPath)) if err != nil {
validator/pki/pki.go+10 −5 modified@@ -596,7 +596,10 @@ func (v *Validator) ValidateROA(roa *librpki.RPKIROA) error { } func (v *Validator) AddManifest(pkifile *PKIFile, mft *librpki.RPKIManifest) (bool, []*PKIFile, *Resource, error) { - pathCert := ExtractPathManifest(mft) + pathCert, err := ExtractPathManifest(mft) + if err != nil { + return false, nil, nil, fmt.Errorf("ExtractPathManifest failed: %v", err) + } valid, _, res, err := v.AddCert(mft.Certificate, false) if res == nil { @@ -751,22 +754,24 @@ func ExtractPathCert(cert *librpki.RPKICertificate) []*PKIFile { } // Returns the list of files from the Manifest -func ExtractPathManifest(mft *librpki.RPKIManifest) []*PKIFile { +func ExtractPathManifest(mft *librpki.RPKIManifest) ([]*PKIFile, error) { fileList := make([]*PKIFile, 0) for _, file := range mft.Content.FileList { curFile := file.Name path := string(curFile) - // GHSA-cqh2-vc2f-q4fh: Prevent file path references to parent + // GHSA-8459-6rc9-8vf8: Prevent file path references to parent // directories. - path = strings.ReplaceAll(path, "../", "") + if strings.Contains(path, "../") || strings.Contains(path, "..\\") { + return nil, fmt.Errorf("Path %q contains illegal path element", path) + } item := PKIFile{ Type: DetermineType(path), Path: path, ManifestHash: file.GetHash(), } fileList = append(fileList, &item) } - return fileList + return fileList, nil } func (sm *SimpleManager) AddInitial(fileList []*PKIFile) {
a053a808feebVULN-8290: Prevent parent directory traversal on file writes/reads
2 files changed · +9 −1
cmd/octorpki/octorpki.go+3 −0 modified@@ -314,6 +314,9 @@ func (s *state) WriteRsyncFileOnDisk(path string, data []byte, withdraw bool) er if err != nil { log.Fatal(err) } + // GHSA-cqh2-vc2f-q4fh: Prevent parent directory writes outside of Basepath + fPath = strings.ReplaceAll(fPath, "../", "") + f, err := os.Create(filepath.Join(s.Basepath, fPath)) if err != nil { return err
validator/pki/pki.go+6 −1 modified@@ -7,8 +7,10 @@ import ( "encoding/asn1" "errors" "fmt" - "github.com/cloudflare/cfrpki/validator/lib" + "strings" "time" + + librpki "github.com/cloudflare/cfrpki/validator/lib" ) const ( @@ -754,6 +756,9 @@ func ExtractPathManifest(mft *librpki.RPKIManifest) []*PKIFile { for _, file := range mft.Content.FileList { curFile := file.Name path := string(curFile) + // GHSA-cqh2-vc2f-q4fh: Prevent file path references to parent + // directories. + path = strings.ReplaceAll(path, "../", "") item := PKIFile{ Type: DetermineType(path), Path: path,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-cqh2-vc2f-q4fhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3907ghsaADVISORY
- www.debian.org/security/2021/dsa-5033ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2022/dsa-5041ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cdghsaWEB
- github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284ghsaWEB
- github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959ghsax_refsource_MISCWEB
- github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fhghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2022-0248ghsaWEB
News mentions
0No linked articles in our index yet.