43 matches found
CVE-2025-24889
The CVE-2025-24889 issue affects the SecureDrop Client (Workstation) prior to versions 0.14.1 and 1.0.1. A path traversal flaw in the sd-log VM’s log-writing logic allows an attacker who already has code execution on another VM to cause code execution in sd-log by sending a crafted log entry. Thi...
CVE-2025-24888 Path traversal in SecureDrop Client API.download_reply()
The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to version 0.14.1, a malicious SecureDrop Server could obtain code execution on the SecureDrop Client virtual machine sd-app. SecureDrop Server...
CVE-2025-24888
The CVE-2025-24888 issue affects the SecureDrop Client, specifically the API.download_reply() path traversal flaw. The vulnerability arises from using the filename in the Content-Disposition header to write the encrypted reply to disk; although server-side filenames are sanitized, the file can be...
CVE-2025-24888 Path traversal in SecureDrop Client API.download_reply()
The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to version 0.14.1, a malicious SecureDrop Server could obtain code execution on the SecureDrop Client virtual machine sd-app. SecureDrop Server...
CVE-2025-24888 Path traversal in SecureDrop Client API.download_reply()
The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to version 0.14.1, a malicious SecureDrop Server could obtain code execution on the SecureDrop Client virtual machine sd-app. SecureDrop Server...
PT-2025-7041 · Unknown · Securedrop Client
Name of the Vulnerable Software and Affected Versions: SecureDrop Client versions prior to 0.14.1 Description: The issue lies in the code responsible for downloading replies in the SecureDrop Client. A malicious SecureDrop Server could obtain code execution on the SecureDrop Client virtual machin...
PT-2025-7042 · Unknown +1 · Securedrop Client +2
Name of the Vulnerable Software and Affected Versions: SecureDrop Client versions prior to 0.14.1 and 1.0.1 Description: The issue allows an attacker who has already gained code execution in a virtual machine on the SecureDrop Workstation to gain code execution in the sd-log virtual machine by...
SecureDrop 路径遍历漏洞
SecureDrop is an open source whistleblower submission system from the Freedom of the Press Foundation. It can be used by media organizations to securely accept documents from and communicate with anonymous sources. A path traversal vulnerability previously existed in SecureDrop version 0.14.1,...
CVE-2022-4563
A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is...
MAL-2024-9832 Malicious code in securedrop (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9a6e71494cc9a9dcef7e0a491a7cf5c91eb09f8908655726169ff32e3a94a9c3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in securedrop (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9a6e71494cc9a9dcef7e0a491a7cf5c91eb09f8908655726169ff32e3a94a9c3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2022-4563
A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is...
CVE-2022-4563
A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is...
Design/Logic Flaw
A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is...
CVE-2022-4563 Freedom of the Press SecureDrop gpg-agent.conf symlink
A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is...
CVE-2022-4563 Freedom of the Press SecureDrop gpg-agent.conf symlink
A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is...
PT-2022-27580 · Freedom Of The Press · Securedrop
Name of the Vulnerable Software and Affected Versions: Freedom of the Press SecureDrop affected versions not specified Description: A critical issue was found in Freedom of the Press SecureDrop, affecting some unknown functionality of the file gpg-agent.conf. The manipulation of this issue leads ...
CVE-2022-4563
CVE-2022-4563 affects Freedom of the Press SecureDrop. The issue concerns an unknown functionality in gpg-agent.conf where manipulation enables symlink following. Local access is required to exploit. A patch identified as b0526a06f8ca713cce74b63e00d3730618d89691 is available, and applying it is r...
SecureDrop 安全漏洞
SecureDrop is an open source whistleblower submission system from the Freedom of the Press Foundation. Media organizations can use it to securely accept documents from and communicate with anonymous sources. SecureDrop suffers from a security vulnerability. An attacker exploited the vulnerability...
DEF CON and Feds Partner on Anonymous Bug Submission Program
Hacking conference organizer DEF CON Communications said it plans to roll out a global anonymous bug submission platform based on the SecureDrop communications tool. During a session at DEF CON in Las Vegas last week, conference founder Jeff Moss said the goal was to launch the yet-to-be-named...