CVE-2021-41150 – CVE-2021-41150 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-41150?

CVE-2021-41150 has a CVSS score of 8.2 (HIGH). CVE-2021-41150 is a path traversal vulnerability in the Tough TUF library that allows attackers to overwrite arbitrary JSON files on the system when repositories are cached or loaded. This affects systems using Tough library versions prior to 0.12.0 for managing TUF repositories. The vulnerability enables potential data corruption, privilege escalation, or remote code execution depending on file locations.

📋 TL;DR

CVE-2021-41150 is a path traversal vulnerability in the Tough TUF library that allows attackers to overwrite arbitrary JSON files on the system when repositories are cached or loaded. This affects systems using Tough library versions prior to 0.12.0 for managing TUF repositories. The vulnerability enables potential data corruption, privilege escalation, or remote code execution depending on file locations.

💻 Affected Systems

Products:

Tough TUF library
Applications using Tough library for TUF repository management

Versions: All versions prior to 0.12.0

Operating Systems: All operating systems running Rust applications using Tough library

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in default configuration when using delegated roles in TUF repositories.

📦 What is this software?

Tough by Amazon

View all CVEs affecting Tough →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via overwriting critical system files, privilege escalation, or complete system compromise if sensitive JSON files are overwritten.

🟠

Likely Case

Data corruption, denial of service, or unauthorized modification of application configuration files leading to service disruption.

🟢

If Mitigated

Limited to application-specific file corruption if proper file permissions and isolation are implemented.

🌐 Internet-Facing: MEDIUM - Requires interaction with TUF repository operations, but could be exploited if repository management is exposed.

🏢 Internal Only: MEDIUM - Internal systems using vulnerable Tough library for repository management remain at risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to interact with TUF repository operations and knowledge of delegated role names that can be manipulated for path traversal.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.0 and later

Vendor Advisory: https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c

Restart Required: Yes

Instructions:

1. Update Tough library to version 0.12.0 or later. 2. Update Cargo.toml to specify 'tough = "^0.12.0"'. 3. Run 'cargo update'. 4. Rebuild and restart affected applications.

🔧 Temporary Workarounds

No known workarounds

all

The advisory states no workarounds are known for this vulnerability.

🧯 If You Can't Patch

Implement strict file system permissions to limit write access for the application user
Isolate TUF repository operations in containerized environments with restricted filesystem access

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for Tough dependency version. If version is <0.12.0, the system is vulnerable.

Check Version:

grep -E 'tough.*\d+\.\d+\.\d+' Cargo.toml Cargo.lock || cargo tree | grep tough

Verify Fix Applied:

Verify Tough version is 0.12.0 or higher in Cargo.lock and test repository operations with malicious delegated role names.

📡 Detection & Monitoring

Log Indicators:

Unexpected file write operations to .json files outside expected repository directories
Errors related to delegated role name validation

Network Indicators:

Unusual TUF repository fetch patterns or unexpected delegated role requests

SIEM Query:

process.name:"application_using_tough" AND file.path:"*.json" AND file.operation:"write" AND NOT file.path:"/expected/repo/path/*"

📊 Metadata

CVE ID: CVE-2021-41150

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-22

Published: October 19, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a Patch,Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c Third Party Advisory
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr Third Party Advisory
https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a Patch,Third Party Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c Third Party Advisory
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41150, you might also want to check these: