CVE-2021-41149 – CVE-2021-41149 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-41149?

CVE-2021-41149 has a CVSS score of 8.2 (HIGH). CVE-2021-41149 is a path traversal vulnerability in the Tough TUF library that allows attackers to overwrite arbitrary files on the system when caching repositories or saving targets. This affects all users of Tough library versions before 0.12.0 who cache repositories or save specific targets to output directories.

📋 TL;DR

CVE-2021-41149 is a path traversal vulnerability in the Tough TUF library that allows attackers to overwrite arbitrary files on the system when caching repositories or saving targets. This affects all users of Tough library versions before 0.12.0 who cache repositories or save specific targets to output directories.

💻 Affected Systems

Products:

tough (Rust TUF library)

Versions: All versions prior to 0.12.0

Operating Systems: All platforms where Rust runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when caching repositories or saving specific targets to output directories.

📦 What is this software?

Tough by Amazon

View all CVEs affecting Tough →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file overwrite, potentially leading to remote code execution, data destruction, or privilege escalation.

🟠

Likely Case

Data corruption, denial of service, or unauthorized file modification in TUF repository operations.

🟢

If Mitigated

Limited impact with proper file permissions and sandboxing, but still potential for data integrity issues.

🌐 Internet-Facing: MEDIUM - Requires interaction with malicious TUF repositories, but automated tools could exploit this.

🏢 Internal Only: LOW - Typically requires access to internal repository infrastructure or malicious internal repositories.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires control over TUF repository content or ability to influence target names.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.0

Vendor Advisory: https://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485

Restart Required: No

Instructions:

1. Update Cargo.toml to specify 'tough = "^0.12.0"' 2. Run 'cargo update' 3. Rebuild and redeploy applications using the library

🔧 Temporary Workarounds

No known workarounds

all

The advisory states no workarounds are available for this vulnerability

🧯 If You Can't Patch

Restrict file system permissions for the application using tough library
Run application in containerized/sandboxed environment with restricted file system access

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for tough dependency version below 0.12.0

Check Version:

grep -A2 -B2 'tough' Cargo.lock || grep 'tough' Cargo.toml

Verify Fix Applied:

Verify tough version is 0.12.0 or higher in Cargo.lock

📡 Detection & Monitoring

Log Indicators:

Unexpected file write operations outside expected directories
Path traversal patterns in file operations

Network Indicators:

Connections to untrusted TUF repositories
Unusual repository fetch patterns

SIEM Query:

File creation events with path traversal patterns (../) from tough-related processes

📊 Metadata

CVE ID: CVE-2021-41149

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-22

Published: October 19, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a Patch,Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485 Third Party Advisory
https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a Patch,Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41149, you might also want to check these: