CVE-2021-41150

Description

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.

Related CPE's

Could not find any relations

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

AttackVector

NETWORK

AttackComplexity

HIGH

PrivilegesRequired

LOW

UserInteraction

NONE

Scope

CHANGED

ConfidentialityImpact

HIGH

IntegrityImpact

HIGH

AvailabilityImpact

NONE

BaseScore

8.2

BaseSeverity

HIGH

CvssV2 impact

Could not find any metrics