Improper sanitization of delegated role names in tough

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

对路径名的限制不恰当(路径遍历)

tough library 路径遍历漏洞

tough library是一款用于使用和生成TUF存储库的工具。 Tough library 0.12.0之前版本存在安全漏洞，该漏洞源于程序在缓存存储库或从文件系统加载存储库时无法正确清理委派的角色名称。

N/A

N/A