SB2021101988 - Multiple vulnerabilities in tough

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2021-41149)

The vulnerability allows a remote attacker to overwrite files with arbitrary content anywhere on the system.

The vulnerability exists due to improper sanitization of target names in repository caching and target output handling when caching a repository or saving specific targets to an output directory. A remote attacker can supply a crafted target name to overwrite files with arbitrary content anywhere on the system.

2) Path traversal (CVE-ID: CVE-2021-41150)

The vulnerability allows a local user to overwrite arbitrary .json files on the system.

The vulnerability exists due to improper sanitization of delegated role names in repository caching and filesystem loading logic when caching a repository or loading a repository from the filesystem. A local user can use crafted delegated role names to overwrite arbitrary .json files on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485
• https://github.com/advisories/GHSA-x3r5-q6mj-m485
• https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c
• https://github.com/advisories/GHSA-r56q-vv3c-6g9c