Plateforme
go
Composant
github.com/cloudflare/cfrpki
Corrigé dans
1.4.3
1.4.3
CVE-2021-3907 is a directory traversal vulnerability discovered in cfrpki, a Go library for certificate management. This flaw allows attackers to potentially read sensitive files from the server's filesystem by manipulating file paths. The vulnerability impacts versions of cfrpki before 1.4.4 and can be resolved by upgrading to the patched version.
The core of the vulnerability lies within the ExtractPathManifest function, which improperly handles file paths. Specifically, it fails to adequately sanitize input, allowing the inclusion of relative directory traversal sequences (e.g., ../). An attacker could craft a malicious request containing a specially crafted path, such as ../../../../etc/passwd, to access files outside the intended directory. This could expose sensitive configuration data, private keys, or other critical system files. The potential blast radius depends on the permissions of the cfrpki process and the files accessible from its execution context. Successful exploitation could lead to complete system compromise.
CVE-2021-3907 was publicly disclosed on July 15, 2022. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The EPSS score is currently unavailable, suggesting a low to medium probability of exploitation. No public proof-of-concept exploits have been widely published, but the nature of directory traversal vulnerabilities makes it likely that one will emerge if the vulnerability remains unpatched in exposed systems.
Organizations using cfrpki in their certificate management infrastructure, particularly those deploying it in cloud environments or containerized applications, are at risk. Systems with weak file permissions or exposed certificate management endpoints are especially vulnerable.
• go / binary: Inspect cfrpki binary for the vulnerable ExtractPathManifest function. Use strings or objdump to search for the function name and related code.
• go / supply-chain: Examine dependencies of Go projects using cfrpki. Use go list -m all to identify versions and check for vulnerable versions.
• generic web: Monitor access logs for unusual file requests containing ../ sequences, especially targeting paths related to certificate management.
disclosure
Statut de l'Exploit
EPSS
1.89% (percentile 83%)
Vecteur CVSS
The primary mitigation for CVE-2021-3907 is to upgrade to cfrpki version 1.4.4 or later. This version includes a fix that properly sanitizes file paths, preventing directory traversal attacks. If upgrading immediately is not feasible, consider implementing input validation on file paths used by cfrpki to restrict access to authorized directories. While a WAF might offer some protection, it's not a reliable substitute for patching the underlying vulnerability. There are no specific Sigma or YARA rules readily available for this vulnerability, as it's a code-level issue.
Actualice OctoRPKI a la versión 1.4.3 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite la ejecución remota de código. La actualización evitará que un repositorio malicioso cree archivos fuera de la carpeta base del caché.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2021-3907 is a directory traversal vulnerability in cfrpki, allowing attackers to potentially read arbitrary files on the system if versions prior to 1.4.4 are used.
You are affected if you are using cfrpki versions earlier than 1.4.4. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to cfrpki version 1.4.4 or later to resolve the vulnerability. If immediate upgrade is not possible, implement input validation on file paths.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-3907, but the potential for exploitation exists.
Refer to the cfrpki project's repository and associated security advisories for details: [https://github.com/cloudflare/cfrpki](https://github.com/cloudflare/cfrpki)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.