Listen to this Post
The vulnerability exists in the `initTUFClients()` function within multirepo.go. When initializing a multi-repository TUF client, the code constructs a local metadata directory path by joining a base directory (LocalMetadataDir) with a repository name (repoName) taken from an external map file using filepath.Join(). No validation is performed on the `repoName` string. An attacker who controls the map file content can set `repoName` to a string containing directory traversal sequences like ../../../etc. When this malicious string is passed to filepath.Join(), the resulting path escapes the intended base cache directory. During client initialization, the code creates directories and writes a `root.json` metadata file to this constructed path, leading to arbitrary file creation or overwrite at a location of the attacker’s choice, contingent on the process’s filesystem permissions.
Platform: go-tuf TAP 4
Version: ≤ 2.4.0
Vulnerability: Path Traversal
Severity: High
date: Unknown
Prediction: Patch expected
What Undercode Say:
rm -rf _poc mkdir -p _poc unzip -q -o poc.zip -d _poc cd _poc/poc make canonical
metadataDir := filepath.Join(client.Config.LocalMetadataDir, repoName)
How Exploit:
Attacker controls map file.
RepoName contains `../` sequences.
Writes `root.json` outside `LocalMetadataDir`.
Protection from this CVE
Validate repository names.
Reject path separators, traversal.
Use `DisableLocalCache=true`.
Impact:
Arbitrary file write.
Potential configuration overwrite.
Further system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

