SB2021101988 - Multiple vulnerabilities in tough



SB2021101988 - Multiple vulnerabilities in tough

Published: October 19, 2021 Updated: April 25, 2026

Security Bulletin ID SB2021101988
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Path traversal (CVE-ID: CVE-2021-41149)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to overwrite files with arbitrary content anywhere on the system.

The vulnerability exists due to improper sanitization of target names in repository caching and target output handling when caching a repository or saving specific targets to an output directory. A remote attacker can supply a crafted target name to overwrite files with arbitrary content anywhere on the system.


2) Path traversal (CVE-ID: CVE-2021-41150)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to overwrite arbitrary .json files on the system.

The vulnerability exists due to improper sanitization of delegated role names in repository caching and filesystem loading logic when caching a repository or loading a repository from the filesystem. A local user can use crafted delegated role names to overwrite arbitrary .json files on the system.


Remediation

Install update from vendor's website.