Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2021-41131

Disclosure Date: October 19, 2021 •

CVE-2021-41131 CVSS v3 Base Score: 8.7

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (tuf/client and tuf/ngclient), there is a path traversal vulnerability that in the worst case can overwrite files ending in .json anywhere on the client system on a call to get_one_valid_targetinfo(). It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie ../../name.json). The impact is mitigated by a few facts: It only affects implementations that allow arbitrary rolename selection for delegated targets metadata, The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata, The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json. A fix is available in version 0.19 or newer. There are no workarounds that do not require code changes. Clients can restrict the allowed character set for rolenames, or they can store metadata in files named in a way that is not vulnerable: neither of these approaches is possible without modifying python-tuf.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.7 High

Impact Score:

5.8

Exploitability Score:

2.2

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

High

References

Canonical

CVE-2021-41131 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41131)

Advisory

https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr

Miscellaneous

https://github.com/theupdateframework/python-tuf/issues/1527

https://github.com/theupdateframework/python-tuf/commit/4ad7ae48fda594b640139c3b7eae21ed5155a102

Rapid7

Unknown

CVE-2021-41131

Unknown

Unknown

None

None

Network

CVE-2021-41131

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2021-41131

Unknown

Unknown

None

None

Network

CVE-2021-41131

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification