The CVE number for this vulnerability is CVE-2023-39915.

== Summary
The 'rrdp-keep-responses' option of Routinator suffers from a possible path
traversal issues when storing RRDP responses.

== Affected products
Routinator 0.9.0 up to and including 0.12.1.

== Description
The keep-rrdp-responses feature introduced in Routinator 0.9.0 allows a user
to store the content of responses received for RRDP requests. The location
of these stored responses is constructed from the URL of the request.  Due
to insufficient sanitation of the URL, it is possible for an attacker to
craft a URL that results in the response being stored outside of the
directory specified for it.

Since the feature is disabled by default, this issue only affects users that
have enabled the keep-rrdp-responses setting either in the config file or via
the command line.

Routinator 0.12.2 properly vets the URI when creating a path and does not
store the response if a proper path cannot be determined.

== Solution
Install Routinator 0.12.2 or later or disable the keep-rrdp-responses option.

== Acknowledgments
We would like to thank Haya Shulman, Donika Mirdita, Niklas Vogel from
Fraunhofer SIT and ATHENE for discovering and reporting the issue.