go-tuf (TAP 4 Multirepo Client), Path Traversal, CVE (High)

Listen to this Post

The vulnerability exists in the `initTUFClients()` function within multirepo.go. When initializing a multi-repository TUF client, the code constructs a local metadata directory path by joining a base directory (LocalMetadataDir) with a repository name (repoName) taken from an external map file using filepath.Join(). No validation is performed on the `repoName` string. An attacker who controls the map file content can set `repoName` to a string containing directory traversal sequences like ../../../etc. When this malicious string is passed to filepath.Join(), the resulting path escapes the intended base cache directory. During client initialization, the code creates directories and writes a `root.json` metadata file to this constructed path, leading to arbitrary file creation or overwrite at a location of the attacker’s choice, contingent on the process’s filesystem permissions.
Platform: go-tuf TAP 4
Version: ≤ 2.4.0
Vulnerability: Path Traversal
Severity: High
date: Unknown

Prediction: Patch expected

What Undercode Say:

rm -rf _poc
mkdir -p _poc
unzip -q -o poc.zip -d _poc
cd _poc/poc
make canonical
metadataDir := filepath.Join(client.Config.LocalMetadataDir, repoName)

How Exploit:

Attacker controls map file.

RepoName contains `../` sequences.

Writes `root.json` outside `LocalMetadataDir`.

Protection from this CVE

Validate repository names.

Reject path separators, traversal.

Use `DisableLocalCache=true`.

Impact:

Arbitrary file write.

Potential configuration overwrite.

Further system compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top