x/vulndb: potential Go vuln in github.com/cloudflare/cfrpki/cmd/octorpki: GHSA-3jhm-87m6-x959

[GoVulnBot]

In GitHub Security Advisory GHSA-3jhm-87m6-x959, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cloudflare/cfrpki/cmd/octorpki	1.4.3	< 1.4.3

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/cloudflare/cfrpki/cmd/octorpki
    versions:
      - fixed: 1.4.3
description: |+
    ### Impact
    The existing URI path filters in OctoRPKI (version < 1.4.3) mitigating Path traversal vulnerability could be bypassed by an attacker. In case a malicious TAL file is parsed, it was possible to write files outside the base cache folder.

    ### Patches
    The issue was fixed in version 1.4.3

    ### References
    [CVE-2021-3907](https://www.cvedetails.com/cve/CVE-2021-3907/)

published: 2022-06-25T07:12:08Z
last_modified: 2022-06-25T07:12:08Z
ghsas:
  - GHSA-3jhm-87m6-x959
links:
    context:
      - https://github.com/advisories/GHSA-3jhm-87m6-x959

[neild]

The fix for this vulnerability does touch an importable package (github.com/cloudflare/cfrpki/validator/pki). The fix makes a backwards-incompatible change to a function signature, the package has no documentation, and pkg.go.dev reports no importers of this package, so I think it is safe to say that this is an internal package.

Aside from that package, this is a vulnerability in a tool.

[gopherbot]

Change https://go.dev/cl/592768 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607219 mentions this issue: data/reports: unexclude 20 reports (17)