Lucene search

GitHub Advisory DatabaseGHSA-7G3V-4GGR-XVJF

HistorySep 20, 2023 - 6:30 a.m.

Croc may expose secret to local users

2023-09-2006:30:50

GitHub Advisory Database

github.com

croc

secret exposure

local users

command line

CVSS3

4.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

4.6

Confidence

High

EPSS

Percentile

5.1%

JSON

An issue was discovered in Croc before 9.6.16. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

Affected configurations

Vulners

Node

schollzcrocRange<9.6.16

VendorProductVersionCPE
schollzcroc*cpe:2.3:a:schollz:croc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
schollz	croc	*	cpe:2.3:a:schollz:croc::::::::

References

www.openwall.com/lists/oss-security/2023/09/21/5

github.com/advisories/GHSA-7g3v-4ggr-xvjf

github.com/schollz/croc/commit/863dabb93a271f41b3431c4384357e1856a69533

github.com/schollz/croc/issues/598

github.com/schollz/croc/pull/701

nvd.nist.gov/vuln/detail/CVE-2023-43621

www.openwall.com/lists/oss-security/2023/09/08/2

CVSS3

4.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

4.6

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for GHSA-7G3V-4GGR-XVJF