Improper Preservation of Permissions Affecting github.com/cloudflare/cfrpki/cmd/octorpki Open this link in a new tab package, versions <1.4.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
21 Nov 2021
19 Nov 2021
Ties de Kock
How to fix?
github.com/cloudflare/cfrpki/cmd/octorpki to version 1.4.1 or higher.
github.com/cloudflare/cfrpki/cmd/octorpki is a RPKI validator.
Affected versions of this package are vulnerable to Improper Preservation of Permissions. When copying files with
octorpki uses the
-a flag 0, which forces
rsync to copy binaries with the
SUID bit set as
root. Since the provided service definition defaults to root, this could allow for a vector, when combined with another vulnerability that causes
octorpki to process a malicious TAL file, for a local privilege escalation.