Lucene search
PRIOn knowledge basePRION:CVE-2021-3907HistoryNov 11, 2021 - 10:15 p.m.
Remote code execution
2021-11-1122:15:00
PRIOn knowledge base
www.prio-n.com
2
OctoRPKI does not escape a URI with a filename containing “…”, this allows a repository to create a file, (ex. rsync://example.org/repo/…/…/etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
| CPE | Name | Operator | Version |
|---|---|---|---|
| octorpki | lt | 1.3.0 | |
| debian_linux | eq | 10.0 | |
| debian_linux | eq | 11.0 |
Related
github
github
Arbitrary filepath traversal via URI injection
2021-11-10 20:08:29
Path traversal mitigation bypass in OctoRPKI
2022-06-25 07:12:08
cvelist
cvelist
CVE-2021-3907 Arbitrary filepath traversal via URI injection
2021-11-01 00:00:00
veracode
veracode
Directory Traversal
2021-11-11 08:49:09
osv
osv
Path traversal in github.com/cloudflare/cfrpki/cmd/octorpki
2022-02-14 22:52:15
Arbitrary filepath traversal via URI injection
2021-11-10 20:08:29
ubuntucve
ubuntucve
CVE-2021-3907
2021-11-11 00:00:00
debiancve
debiancve
CVE-2021-3907
2021-11-11 22:15:07
nvd
nvd
CVE-2021-3907
2021-11-11 22:15:07
cve
cve
CVE-2021-3907
2021-11-11 22:15:07
openvas
openvas
Debian: Security Advisory (DSA-5033-1)
2022-01-01 00:00:00
Debian: Security Advisory (DSA-5041-1)
2022-01-12 00:00:00
debian
debian
[SECURITY] [DSA 5033-1] fort-validator security update
2021-12-30 19:35:37
[SECURITY] [DSA 5041-1] cfrpki security update
2022-01-11 21:54:05
nessus
nessus
Debian DSA-5033-1 : fort-validator - security update
2021-12-31 00:00:00
Debian DSA-5041-1 : cfrpki - security update
2022-01-12 00:00:00