CVE-2021-41150: 
Rust vulnerability analysis and mitigation

The tough library, a set of Rust libraries and tools for using and generating the update framework (TUF) repositories, was found to contain a security vulnerability (CVE-2021-41150) prior to version 0.12.0. The vulnerability was discovered and disclosed on October 19, 2021, affecting the library's handling of delegated role names during repository caching and filesystem operations (GitHub Advisory).

The vulnerability stems from improper sanitization of delegated role names when caching a repository or loading it from the filesystem. The issue specifically relates to the handling of path traversal constructs in delegated role names and target names. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata in unexpected locations on the system (GitHub Advisory).

The vulnerability could allow an attacker to overwrite files ending with the .json extension anywhere on the system when the repository is being cached or loaded. This could potentially lead to unauthorized file modifications and system compromise (GitHub Advisory).

A fix for this vulnerability is available in version 0.12.0 of the tough library. The update includes proper sanitization of delegated role names and target names to prevent path traversal issues. No workarounds are known for this vulnerability, making upgrading to version 0.12.0 or later the only viable solution (GitHub Advisory).