5 matches found
PT-2026-33355
Name of the Vulnerable Software and Affected Versions opam versions prior to 2.5.1 Description A directory traversal issue exists where a .install field containing a destination filepath can use ../ to reach a parent directory. Recommendations Update to version 2.5.1...
CVE-2024-8244
The filepath.Walk and filepath.WalkDir functions are documented as not following symbolic links, but both functions are susceptible to a TOCTOU time of check/time of use race condition where a portion of the path being walked is replaced with a symbolic link while the walk is in progress...
CVE-2021-3907 Arbitrary filepath traversal via URI injection
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa, which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine...
GHSA-CQH2-VC2F-Q4FH Arbitrary filepath traversal via URI injection
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa, which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine...
Arbitrary filepath traversal via URI injection
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa, which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine...