x/vulndb: potential Go vuln in github.com/cloudflare/cfrpki/cmd/octorpki: GHSA-3pqh-p72c-fj85 #580

julieqiu · 2022-08-01T18:12:35Z

In GitHub Security Advisory GHSA-3pqh-p72c-fj85, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cloudflare/cfrpki/cmd/octorpki	1.4.2	< 1.4.2

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/cloudflare/cfrpki/cmd/octorpki
    versions:
      - fixed: 1.4.2
description: "### Impact\n\nWhen copying files with rsync, octorpki uses the \"-a\"
    flag 0, which forces rsync to copy binaries with the suid bit set as root. Since
    the provided service definition defaults to root (https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service)
    this could allow for a vector, when combined with another vulnerability that causes
    octorpki to process a malicious TAL file, for a local privilege escalation.  \n\n##
    For more information\n\nIf you have any questions or comments about this advisory
    email us at security@cloudflare.com"
published: 2021-11-19T19:34:26Z
last_modified: 2022-04-19T19:03:15Z
cves:
  - CVE-2021-3978
ghsas:
  - GHSA-3pqh-p72c-fj85
links:
    context:
      - https://github.com/advisories/GHSA-3pqh-p72c-fj85

The text was updated successfully, but these errors were encountered:

tatianab · 2022-08-09T19:31:01Z

Vulnerability in command, not importable

gopherbot · 2024-06-14T19:51:21Z

Change https://go.dev/cl/592769 mentions this issue: data/reports: unexclude 50 reports

gopherbot · 2024-08-20T19:35:44Z

Change https://go.dev/cl/607221 mentions this issue: data/reports: unexclude 20 reports (19)

- data/reports/GO-2022-0573.yaml - data/reports/GO-2022-0576.yaml - data/reports/GO-2022-0577.yaml - data/reports/GO-2022-0578.yaml - data/reports/GO-2022-0579.yaml - data/reports/GO-2022-0580.yaml - data/reports/GO-2022-0583.yaml - data/reports/GO-2022-0584.yaml - data/reports/GO-2022-0585.yaml - data/reports/GO-2022-0590.yaml - data/reports/GO-2022-0591.yaml - data/reports/GO-2022-0593.yaml - data/reports/GO-2022-0595.yaml - data/reports/GO-2022-0597.yaml - data/reports/GO-2022-0599.yaml - data/reports/GO-2022-0600.yaml - data/reports/GO-2022-0602.yaml - data/reports/GO-2022-0604.yaml - data/reports/GO-2022-0606.yaml - data/reports/GO-2022-0608.yaml Updates #573 Updates #576 Updates #577 Updates #578 Updates #579 Updates #580 Updates #583 Updates #584 Updates #585 Updates #590 Updates #591 Updates #593 Updates #595 Updates #597 Updates #599 Updates #600 Updates #602 Updates #604 Updates #606 Updates #608 Change-Id: Ia252601b7fb2d97b5dfa7d95d14ebbb1b9cc0459 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607221 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>

julieqiu assigned tatianab Aug 3, 2022

tatianab assigned tatianab and unassigned tatianab Aug 4, 2022

tatianab added the NotGoVuln label Aug 9, 2022

tatianab closed this as completed Aug 9, 2022

neild added excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed NotGoVuln labels Aug 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/cloudflare/cfrpki/cmd/octorpki: GHSA-3pqh-p72c-fj85 #580

x/vulndb: potential Go vuln in github.com/cloudflare/cfrpki/cmd/octorpki: GHSA-3pqh-p72c-fj85 #580

julieqiu commented Aug 1, 2022

tatianab commented Aug 9, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/cloudflare/cfrpki/cmd/octorpki: GHSA-3pqh-p72c-fj85 #580

x/vulndb: potential Go vuln in github.com/cloudflare/cfrpki/cmd/octorpki: GHSA-3pqh-p72c-fj85 #580

Comments

julieqiu commented Aug 1, 2022

tatianab commented Aug 9, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024