Login Sign Up

CVE-2021-3907

7.4 HIGH
Remote Code Execution Path Traversal

📋 TL;DR

OctoRPKI has a path traversal vulnerability where malicious repositories can write files outside the designated cache directory using '..' sequences in URIs. This allows attackers to potentially achieve remote code execution on systems running OctoRPKI. Affected users are those running vulnerable versions of OctoRPKI that fetch from untrusted repositories.

💻 Affected Systems

Products:
  • OctoRPKI
  • cfrpki
Versions: Versions prior to v1.4.0
Operating Systems: Linux, Unix-based systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems fetching from repositories via rsync protocol with untrusted sources.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Octorpki by Cloudflare

View all CVEs affecting Octorpki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Arbitrary file write to sensitive locations, potentially enabling privilege escalation or persistence mechanisms.

🟢

If Mitigated

Contained file writes limited to cache directory with no system impact.

🌐 Internet-Facing: HIGH - Attackers can exploit via malicious repository URIs without authentication.
🏢 Internal Only: MEDIUM - Requires internal repository compromise or malicious internal actor.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires control over repository content but is straightforward once achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.4.0 and later

Vendor Advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959

Restart Required: Yes

Instructions:

1. Stop OctoRPKI service. 2. Update to v1.4.0 or later via package manager or source. 3. Restart OctoRPKI service.

🔧 Temporary Workarounds

Restrict Repository Sources

all

Only allow connections to trusted, verified repositories

# Configure OctoRPKI to use only trusted rsync sources in configuration

Filesystem Restrictions

linux

Run OctoRPKI in container or with restricted filesystem permissions

# Run with AppArmor/SELinux profiles
# Use chroot jail or container isolation

🧯 If You Can't Patch

  • Isolate OctoRPKI instances in network segments with no internet access
  • Implement strict egress filtering to allow only trusted repository connections

🔍 How to Verify

Check if Vulnerable:

Check OctoRPKI version: if < v1.4.0, system is vulnerable

Check Version:

octorpki --version

Verify Fix Applied:

Confirm version is v1.4.0 or later and test with safe path traversal payload

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write patterns outside cache directory
  • Repository URIs containing '..' sequences

Network Indicators:

  • Connections to unknown/untrusted rsync repositories

SIEM Query:

source="octorpki.log" AND (uri="*../*" OR path="*/../*")

📊 Metadata

CVE ID: CVE-2021-3907
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-20
Published: November 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3907, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)