CVE-2021-41149

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-41149

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41149.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-41149

Aliases

GHSA-x3r5-q6mj-m485

Related

GHSA-x3r5-q6mj-m485

Published

2021-10-19T18:15:08.093Z

Modified

2026-03-13T05:11:58.255613Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.

References

Affected packages

Git / github.com/awslabs/tough

Affected ranges

Type

GIT

Repo

https://github.com/awslabs/tough

Events

Introduced

Fixed

e8f453e7c502ea2bbcbb8f76d38fa2674c895342

Fixed

1809b9bd1106d78a51fbea3071aa97a3530bac9a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.12.0"
        }
    ]
}

Affected versions

olpc-cjson-v0.*

olpc-cjson-v0.1.0

olpc-cjson-v0.1.1

olpc-cjson-v0.1.2

olpc-cjson-v0.1.3

tough-kms-v0.*

tough-kms-v0.1.0

tough-kms-v0.1.1

tough-kms-v0.10.0

tough-kms-v0.2.0

tough-kms-v0.3.0

tough-kms-v0.3.1

tough-kms-v0.3.2

tough-kms-v0.3.3

tough-kms-v0.3.4

tough-kms-v0.3.5

tough-kms-v0.3.6

tough-kms-v0.4.0

tough-kms-v0.4.1

tough-kms-v0.4.2

tough-kms-v0.5.0

tough-kms-v0.6.0

tough-kms-v0.7.0

tough-kms-v0.8.0

tough-kms-v0.9.0

tough-ssm-v0.*

tough-ssm-v0.1.0

tough-ssm-v0.10.0

tough-ssm-v0.11.0

tough-ssm-v0.12.0

tough-ssm-v0.13.0

tough-ssm-v0.2.0

tough-ssm-v0.3.0

tough-ssm-v0.4.0

tough-ssm-v0.5.0

tough-ssm-v0.6.0

tough-ssm-v0.6.1

tough-ssm-v0.6.2

tough-ssm-v0.6.3

tough-ssm-v0.6.4

tough-ssm-v0.6.5

tough-ssm-v0.6.6

tough-ssm-v0.7.0

tough-ssm-v0.7.1

tough-ssm-v0.7.2

tough-ssm-v0.8.0

tough-ssm-v0.9.0

tough-v0.*

tough-v0.1.0

tough-v0.10.0

tough-v0.11.0

tough-v0.11.1

tough-v0.11.2

tough-v0.11.3

tough-v0.12.0

tough-v0.12.1

tough-v0.12.2

tough-v0.12.3

tough-v0.12.4

tough-v0.12.5

tough-v0.13.0

tough-v0.14.0

tough-v0.15.0

tough-v0.16.0

tough-v0.17.0

tough-v0.17.1

tough-v0.18.0

tough-v0.2.0

tough-v0.3.0

tough-v0.4.0

tough-v0.5.0

tough-v0.6.0

tough-v0.7.0

tough-v0.7.1

tough-v0.8.0

tough-v0.9.0

tuftool-v0.*

tuftool-v0.1.0

tuftool-v0.1.1

tuftool-v0.10.0

tuftool-v0.10.1

tuftool-v0.10.2

tuftool-v0.10.3

tuftool-v0.11.0

tuftool-v0.11.1

tuftool-v0.2.0

tuftool-v0.3.0

tuftool-v0.4.0

tuftool-v0.4.1

tuftool-v0.5.0

tuftool-v0.6.0

tuftool-v0.6.1

tuftool-v0.6.2

tuftool-v0.6.3

tuftool-v0.6.4

tuftool-v0.7.0

tuftool-v0.7.1

tuftool-v0.7.2

tuftool-v0.8.0

tuftool-v0.8.1

tuftool-v0.8.2

tuftool-v0.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41149.json"