{"id":"CVE-2021-41150","details":"Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.","aliases":["GHSA-r56q-vv3c-6g9c"],"modified":"2026-04-10T04:38:14.563725Z","published":"2021-10-19T20:15:08.263Z","related":["GHSA-r56q-vv3c-6g9c","GHSA-wjw6-2cqr-j4qr"],"references":[{"type":"ADVISORY","url":"https://github.com/awslabs/tough/security/advisories/GHSA-r56q-vv3c-6g9c"},{"type":"ADVISORY","url":"https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr"},{"type":"FIX","url":"https://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/awslabs/tough","events":[{"introduced":"0"},{"fixed":"e8f453e7c502ea2bbcbb8f76d38fa2674c895342"},{"fixed":"1809b9bd1106d78a51fbea3071aa97a3530bac9a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.12.0"}]}}],"versions":["olpc-cjson-v0.1.0","olpc-cjson-v0.1.1","olpc-cjson-v0.1.2","olpc-cjson-v0.1.3","tough-kms-v0.1.0","tough-kms-v0.1.1","tough-kms-v0.10.0","tough-kms-v0.3.1","tough-kms-v0.3.2","tough-kms-v0.3.3","tough-kms-v0.3.4","tough-kms-v0.3.6","tough-kms-v0.4.0","tough-kms-v0.4.1","tough-kms-v0.4.2","tough-kms-v0.5.0","tough-kms-v0.6.0","tough-kms-v0.7.0","tough-kms-v0.8.0","tough-kms-v0.9.0","tough-ssm-v0.1.0","tough-ssm-v0.10.0","tough-ssm-v0.11.0","tough-ssm-v0.12.0","tough-ssm-v0.13.0","tough-ssm-v0.2.0","tough-ssm-v0.3.0","tough-ssm-v0.4.0","tough-ssm-v0.6.1","tough-ssm-v0.6.2","tough-ssm-v0.6.3","tough-ssm-v0.6.4","tough-ssm-v0.6.6","tough-ssm-v0.7.0","tough-ssm-v0.7.1","tough-ssm-v0.7.2","tough-ssm-v0.8.0","tough-ssm-v0.9.0","tough-v0.1.0","tough-v0.11.1","tough-v0.11.2","tough-v0.11.3","tough-v0.12.0","tough-v0.12.2","tough-v0.12.3","tough-v0.12.4","tough-v0.12.5","tough-v0.13.0","tough-v0.14.0","tough-v0.15.0","tough-v0.16.0","tough-v0.17.0","tough-v0.17.1","tough-v0.18.0","tough-v0.2.0","tough-v0.3.0","tough-v0.4.0","tough-v0.5.0","tough-v0.6.0","tough-v0.7.0","tough-v0.8.0","tough-v0.9.0","tuftool-v0.1.0","tuftool-v0.1.1","tuftool-v0.10.0","tuftool-v0.10.1","tuftool-v0.10.2","tuftool-v0.10.3","tuftool-v0.11.0","tuftool-v0.11.1","tuftool-v0.2.0","tuftool-v0.3.0","tuftool-v0.4.0","tuftool-v0.4.1","tuftool-v0.5.0","tuftool-v0.6.2","tuftool-v0.6.3","tuftool-v0.6.4","tuftool-v0.7.0","tuftool-v0.7.2","tuftool-v0.8.0","tuftool-v0.8.1","tuftool-v0.8.2","tuftool-v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41150.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}