CVE-2021-41150

Name of the Vulnerable Software and Affected Versions tough versions prior to 0.12.0

Description The tough library does not properly sanitize delegated role names when caching a repository or loading a repository from the filesystem. This can lead to files ending with the .json extension being overwritten with role metadata anywhere on the system. The issue is mitigated by the fact that it only affects implementations that allow arbitrary rolename selection for delegated targets metadata, and the attack requires the ability to insert new metadata for the path-traversing role and get the role delegated by an existing targets metadata. The written file content is heavily restricted since it needs to be a valid, signed targets file, and the file extension is always .json.

Recommendations For tough versions prior to 0.12.0, update to version 0.12.0 or newer to resolve the issue. As a temporary workaround, consider restricting the allowed character set for rolenames or storing metadata in files named in a way that is not vulnerable, although these approaches require code changes.