{"id":"GO-2022-0248","summary":"Directory traversal in manifest path extraction in github.com/cloudflare/cfrpki","details":"Manifest path extraction is vulnerable to directory traversal attacks.\n\nThe ExtractPathManifest function permits file paths containing relative directory components (\"..\"), permitting files to reference arbitrary locations on the filesystem.","aliases":["CVE-2021-3907","GHSA-8459-6rc9-8vf8","GHSA-cqh2-vc2f-q4fh"],"modified":"2026-03-17T04:13:42.381278Z","published":"2022-07-15T23:07:18Z","related":["GHSA-3jhm-87m6-x959"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0248","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284"},{"type":"FIX","url":"https://github.com/cloudflare/cfrpki/commit/a053a808feeb3115c76b6cc263ee55598ce6e8cd"}],"affected":[{"package":{"name":"github.com/cloudflare/cfrpki","ecosystem":"Go","purl":"pkg:golang/github.com/cloudflare/cfrpki"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.4.4"}]}],"ecosystem_specific":{"imports":[{"symbols":["ExtractPathManifest","SimpleManager.Explore","SimpleManager.ExploreAdd","Validator.AddManifest","Validator.AddResource"],"path":"github.com/cloudflare/cfrpki/validator/pki"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0248.json"}}],"schema_version":"1.7.5","credits":[{"name":"Koen van Hove"}]}