CVE-2026-49233 — Routinator has cache path traversal when processing the module component of rsyn

描述

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

如何修補 CVE-2026-49233

要修補 CVE-2026-49233,請將受影響套件升級到下列已修補版本。

crates.io/routinator—升級至 0.15.2 或更新版本

CVE-2026-49233 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-49233 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

from 0, < 0.15.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

參考連結(4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-49233
PATCHgithub.com/NLnetLabs/routinator
WEBgithub.com/NLnetLabs/routinator/releases/tag/v0.15.2
WEBwww.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt