{"id":"CVE-2021-41149","details":"Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.","aliases":["GHSA-x3r5-q6mj-m485"],"modified":"2026-04-10T04:38:14.248203Z","published":"2021-10-19T18:15:08.093Z","related":["GHSA-x3r5-q6mj-m485"],"references":[{"type":"ADVISORY","url":"https://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485"},{"type":"FIX","url":"https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/awslabs/tough","events":[{"introduced":"0"},{"fixed":"e8f453e7c502ea2bbcbb8f76d38fa2674c895342"},{"fixed":"1809b9bd1106d78a51fbea3071aa97a3530bac9a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.12.0"}]}}],"versions":["olpc-cjson-v0.1.0","olpc-cjson-v0.1.1","olpc-cjson-v0.1.2","olpc-cjson-v0.1.3","tough-kms-v0.1.0","tough-kms-v0.1.1","tough-kms-v0.10.0","tough-kms-v0.3.1","tough-kms-v0.3.2","tough-kms-v0.3.3","tough-kms-v0.3.4","tough-kms-v0.3.6","tough-kms-v0.4.0","tough-kms-v0.4.1","tough-kms-v0.4.2","tough-kms-v0.5.0","tough-kms-v0.6.0","tough-kms-v0.7.0","tough-kms-v0.8.0","tough-kms-v0.9.0","tough-ssm-v0.1.0","tough-ssm-v0.10.0","tough-ssm-v0.11.0","tough-ssm-v0.12.0","tough-ssm-v0.13.0","tough-ssm-v0.2.0","tough-ssm-v0.3.0","tough-ssm-v0.4.0","tough-ssm-v0.6.1","tough-ssm-v0.6.2","tough-ssm-v0.6.3","tough-ssm-v0.6.4","tough-ssm-v0.6.6","tough-ssm-v0.7.0","tough-ssm-v0.7.1","tough-ssm-v0.7.2","tough-ssm-v0.8.0","tough-ssm-v0.9.0","tough-v0.1.0","tough-v0.11.1","tough-v0.11.2","tough-v0.11.3","tough-v0.12.0","tough-v0.12.2","tough-v0.12.3","tough-v0.12.4","tough-v0.12.5","tough-v0.13.0","tough-v0.14.0","tough-v0.15.0","tough-v0.16.0","tough-v0.17.0","tough-v0.17.1","tough-v0.18.0","tough-v0.2.0","tough-v0.3.0","tough-v0.4.0","tough-v0.5.0","tough-v0.6.0","tough-v0.7.0","tough-v0.8.0","tough-v0.9.0","tuftool-v0.1.0","tuftool-v0.1.1","tuftool-v0.10.0","tuftool-v0.10.1","tuftool-v0.10.2","tuftool-v0.10.3","tuftool-v0.11.0","tuftool-v0.11.1","tuftool-v0.2.0","tuftool-v0.3.0","tuftool-v0.4.0","tuftool-v0.4.1","tuftool-v0.5.0","tuftool-v0.6.2","tuftool-v0.6.3","tuftool-v0.6.4","tuftool-v0.7.0","tuftool-v0.7.2","tuftool-v0.8.0","tuftool-v0.8.1","tuftool-v0.8.2","tuftool-v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41149.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}]}