CNNVD-202601-4616 Information
CNNVD ID
CNNVD-202601-4616
Related CVE
- CNNVD Published: 2026-01-27
Description (Chinese)
go-tuf是The Update Framework开源的一个用于保护软件更新系统的框架。 go-tuf 2.0.0至2.4.1之前版本存在路径遍历漏洞,该漏洞源于使用存储库名称字符串作为文件系统路径组件时存在路径遍历,可能导致在预期缓存目录外创建目录和写入文件。
Description (English)
Go-tuf is a framework for the Open Source of The Update Framework to protect the software update system. Go-tuf 2.0 to 2.4.1 has a path-wide loophole, which stems from the existence of a path-through when using the repository name string as a routing component of the file system, which may lead to the creation of a directory and the writing of a file outside the expected cache directory.
Hazard Level
High
Vulnerability Type
路径遍历
Affected Vendor
The Update Framework
Published
2026-01-27
Last Modified
2026-02-24
References
https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0 https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4
Patch
https://github.com/theupdateframework/go-tuf/releases
Share on: