Path traversal in tough - CVE-2021-41149
Published: October 19, 2021 / Updated: April 25, 2026
Vulnerability identifier: #VU127896
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-41149
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
tough
tough
Software vendor:
Amazon Web Services
Amazon Web Services
Description
The vulnerability allows a remote attacker to overwrite files with arbitrary content anywhere on the system.
The vulnerability exists due to improper sanitization of target names in repository caching and target output handling when caching a repository or saving specific targets to an output directory. A remote attacker can supply a crafted target name to overwrite files with arbitrary content anywhere on the system.
Remediation
Install security update from vendor's website.