CVE-2021-3907
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
| Software | From | Fixed in |
|---|---|---|
| cloudflare / octorpki | - | 1.3.0 |
| debian / debian_linux | 10.0 | 10.0.x |
| debian / debian_linux | 11.0 | 11.0.x |
github.com/cloudflare/cfrpki
|
- | 1.4.3 |
- https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh
- https://pkg.go.dev/vuln/GO-2022-0248
- https://www.debian.org/security/2021/dsa-5033
- https://www.debian.org/security/2022/dsa-5041
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime