Platform
go
Component
github.com/cloudflare/cfrpki
Fixed in
1.4.3
1.4.3
CVE-2021-3907 is a directory traversal vulnerability discovered in cfrpki, a Go library for certificate management. This flaw allows attackers to potentially read sensitive files from the server's filesystem by manipulating file paths. The vulnerability impacts versions of cfrpki before 1.4.4 and can be resolved by upgrading to the patched version.
The core of the vulnerability lies within the ExtractPathManifest function, which improperly handles file paths. Specifically, it fails to adequately sanitize input, allowing the inclusion of relative directory traversal sequences (e.g., ../). An attacker could craft a malicious request containing a specially crafted path, such as ../../../../etc/passwd, to access files outside the intended directory. This could expose sensitive configuration data, private keys, or other critical system files. The potential blast radius depends on the permissions of the cfrpki process and the files accessible from its execution context. Successful exploitation could lead to complete system compromise.
CVE-2021-3907 was publicly disclosed on July 15, 2022. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The EPSS score is currently unavailable, suggesting a low to medium probability of exploitation. No public proof-of-concept exploits have been widely published, but the nature of directory traversal vulnerabilities makes it likely that one will emerge if the vulnerability remains unpatched in exposed systems.
Exploit Status
EPSS
1.89% (83% percentile)
CVSS Vector
The primary mitigation for CVE-2021-3907 is to upgrade to cfrpki version 1.4.4 or later. This version includes a fix that properly sanitizes file paths, preventing directory traversal attacks. If upgrading immediately is not feasible, consider implementing input validation on file paths used by cfrpki to restrict access to authorized directories. While a WAF might offer some protection, it's not a reliable substitute for patching the underlying vulnerability. There are no specific Sigma or YARA rules readily available for this vulnerability, as it's a code-level issue.
Update OctoRPKI to version 1.4.3 or higher. This version fixes the path traversal vulnerability that allows remote code execution. The update will prevent a malicious repository from creating files outside the base cache folder.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-3907 is a directory traversal vulnerability in cfrpki, allowing attackers to potentially read arbitrary files on the system if versions prior to 1.4.4 are used.
You are affected if you are using cfrpki versions earlier than 1.4.4. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to cfrpki version 1.4.4 or later to resolve the vulnerability. If immediate upgrade is not possible, implement input validation on file paths.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-3907, but the potential for exploitation exists.
Refer to the cfrpki project's repository and associated security advisories for details: [https://github.com/cloudflare/cfrpki](https://github.com/cloudflare/cfrpki)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.