Candidate: CVE-2021-3907
PublicDate: 2021-11-11 22:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3907
 https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh
Description:
 OctoRPKI does not escape a URI with a filename containing "..", this allows
 a repository to create a file, (ex.
 rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then
 be written to disk outside the base cache folder. This could allow for
 remote code execution on the host machine OctoRPKI is running on.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_cfrpki:
upstream_cfrpki: needs-triage
trusty_cfrpki: ignored (out of standard support)
xenial_cfrpki: ignored (out of standard support)
hirsute_cfrpki: ignored (reached end-of-life)
impish_cfrpki: needs-triage
jammy_cfrpki: needs-triage
devel_cfrpki: needs-triage