This repository has been archived by the owner on Jun 9, 2024. It is now read-only.
Path traversal in github.com/cloudflare/cfrpki/cmd/octorpki
Package
Affected versions
<= f5aeb07ff5802a6f307463e115b7afac3a1cbc19
Patched versions
eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284
Impact
In the case that a malicious TAL file is parsed pointing to a repository that provides a malicious ROA file which octorpki downloads, it is possible to bypass the current directory traversal mitigation to allow writing outside of the current directory.
Patches
eb9cc4d