GO-2022-0248

Source
https://pkg.go.dev/vuln/GO-2022-0248
Import Source
https://vuln.go.dev/ID/GO-2022-0248.json
JSON Data
https://api.test.osv.dev/v1/vulns/GO-2022-0248
Aliases
Related
Published
2022-07-15T23:07:18Z
Modified
2024-08-21T15:42:14.227133Z
Summary
Directory traversal in manifest path extraction in github.com/cloudflare/cfrpki
Details

Manifest path extraction is vulnerable to directory traversal attacks.

The ExtractPathManifest function permits file paths containing relative directory components (".."), permitting files to reference arbitrary locations on the filesystem.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0248"
}
References
Credits
    • Koen van Hove

Affected packages

Go / github.com/cloudflare/cfrpki

Package

Name
github.com/cloudflare/cfrpki
View open source insights on deps.dev
Purl
pkg:golang/github.com/cloudflare/cfrpki

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.4

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/cloudflare/cfrpki/validator/pki",
            "symbols": [
                "ExtractPathManifest",
                "SimpleManager.Explore",
                "SimpleManager.ExploreAdd",
                "Validator.AddManifest",
                "Validator.AddResource"
            ]
        }
    ]
}