CVE-2021-41150

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.

CVSS v3 6.5 MEDIUM
CVSS v2.0 3.5 LOW

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a	Patch Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c	Third Party Advisory
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*

History

No history.

Information

Published : 2021-10-19 20:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-41150

Mitre link : CVE-2021-41150

CVE.ORG link : CVE-2021-41150

JSON object : View

Products Affected

amazon

tough

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2021-41150", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.8}]}, "published": "2021-10-19T20:15:08.263", "references": [{"url": "https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known."}, {"lang": "es", "value": "Tough proporciona un conjunto de bibliotecas y herramientas de Rust para usar y generar los repositorios del marco de actualizaci\u00f3n (TUF). La biblioteca tough, versiones anteriores a 0.12.0, no sanea adecuadamente los nombres de los roles delegados cuando se almacena en cach\u00e9 un repositorio, o cuando se carga un repositorio desde el sistema de archivos. Cuando el repositorio se almacena en cach\u00e9 o se carga, los archivos que terminan con la extensi\u00f3n .json podr\u00edan sobrescribirse con metadatos de roles en cualquier parte del sistema. Una correcci\u00f3n est\u00e1 disponible en la versi\u00f3n 0.12.0. No se conocen soluciones a este problema"}], "lastModified": "2021-10-26T17:04:28.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "887CA5C2-F0F1-4C02-A4E6-976EF0A5DA53", "versionEndExcluding": "0.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}