Login Sign Up

CVE-2021-41131

7.5 HIGH
Path Traversal

📋 TL;DR

This path traversal vulnerability in python-tuf allows attackers to overwrite .json files anywhere on the client system by using path traversal characters in rolenames. It affects implementations that allow arbitrary rolename selection for delegated targets metadata. The impact is limited since attackers need to insert signed metadata and the written content must be valid targets files.

💻 Affected Systems

Products:
  • python-tuf (Python reference implementation of The Update Framework)
Versions: All versions before 0.19
Operating Systems: All operating systems running python-tuf
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects implementations allowing arbitrary rolename selection for delegated targets metadata.

📦 What is this software?

The Update Framework by Linuxfoundation

View all CVEs affecting The Update Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary .json file overwrite anywhere on the client system, potentially leading to system compromise or data loss.

🟠

Likely Case

Limited file overwrite in specific directories where the client has write permissions, potentially disrupting application functionality.

🟢

If Mitigated

No impact if rolenames are restricted or metadata storage uses non-vulnerable naming schemes.

🌐 Internet-Facing: MEDIUM - Requires specific conditions (arbitrary rolename selection and ability to insert signed metadata) but could affect exposed update clients.
🏢 Internal Only: LOW - Requires internal compromise and specific configuration to exploit.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires: 1) Ability to insert new metadata for path-traversing role, 2) Get the role delegated by existing targets metadata, 3) Provide valid signed targets file content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.19 or newer

Vendor Advisory: https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr

Restart Required: Yes

Instructions:

1. Upgrade python-tuf to version 0.19 or newer using pip: 'pip install python-tuf>=0.19'. 2. Restart any services using python-tuf. 3. Verify the update was successful.

🧯 If You Can't Patch

  • Restrict allowed character set for rolenames in your implementation
  • Implement custom metadata storage with non-vulnerable file naming

🔍 How to Verify

Check if Vulnerable:

Check python-tuf version: 'pip show python-tuf' or 'python -c "import tuf; print(tuf.__version__)"' - if version < 0.19, you are vulnerable.

Check Version:

python -c "import tuf; print(tuf.__version__)"

Verify Fix Applied:

After upgrading, verify version is 0.19 or newer using same commands.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations to .json files outside expected metadata directories
  • Path traversal patterns in rolename parameters

Network Indicators:

  • Unusual metadata requests with path traversal characters in rolenames

SIEM Query:

Search for file write events to .json files with path traversal patterns (e.g., '..' or '../') in file paths from python-tuf processes.

📊 Metadata

CVE ID: CVE-2021-41131
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
CWE: CWE-22
Published: October 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41131, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)