Description
The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The CTFer.io Monitoring component suffers from an Archive Slip (path traversal) due to a missing trailing path separator in the sanitizeArchivePath function. The flaw allows an attacker to craft an extraction that writes arbitrary files, potentially overwriting critical system files such as SSH keys, kubeconfig, shell configs, or crontabs. This gives the attacker a path to remote code execution and persistent backdoors in the cluster environment. The vulnerability is classified as CWE-22.

Affected Systems

Affected only the ctfer-io:monitoring product. All releases before version 0.2.2 are impacted, including 0.2.1 and earlier. No specific subversion list is available, but any build prior to 0.2.2 is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS v3.1 score of 8.8, indicating high severity. EPSS data is not available, and the flaw is not currently listed in the CISA KEV catalog. Exploitation requires a pod with the default ReadWriteMany PVC access mode, allowing injection of malicious payloads. Attackers leveraging any pod in the cluster can exploit the flaw, and the lack of checks in the extraction process means the path traversal can be performed without additional privilege escalation.

Generated by OpenCVE AI on March 20, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ctfer-io:monitoring to version 0.2.2 or later.
  • Ensure that any PVCs used by monitoring are restricted to ReadWriteOnce or bound to non‑cluster‑wide storage if the supply of upgrades is delayed.

Generated by OpenCVE AI on March 20, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f7cq-gvh6-qr25 Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
History

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ctfer-io
Ctfer-io monitoring
Vendors & Products Ctfer-io
Ctfer-io monitoring

Fri, 20 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.
Title Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L'}

Subscriptions

Ctfer-io Monitoring
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T16:45:32.747Z

Reserved: 2026-03-13T18:53:03.534Z

Link: CVE-2026-32771

cve-icon Vulnrichment

Updated: 2026-03-20T16:45:26.064Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T01:15:55.940

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-32771

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:43:36Z

Weaknesses