Improper Sanitization of Delegated Role Names in Tough Library (CVE-2021-38154)

Improper Sanitization of Delegated Role Names in Tough Library (CVE-2021-38154)

CVE-2021-41150 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.

Learn more about our Web Application Penetration Testing UK.