Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory

Summary The chrome-devtools-mcp daemon writes its PID file with fs.writeFileSync to a deterministic runtime path. On typical macOS environments, and on Linux sessions where $XDGRUNTIMEDIR is unset, that runtime path falls back to /tmp/chrome-devtools-mcp-/daemon.pid. Because the write does not us...

Symlink Attack

Overview chrome-devtools-mcp is a MCP server for Chrome DevTools Affected versions of this package are vulnerable to Symlink Attack in the fs.writeFileSync process when writing the PID file to a runtime directory under /tmp if $XDGRUNTIMEDIR is unset. An attacker can overwrite or truncate arbitra...

GO-2025-4100 containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd...

CVE-2024-25621 containerd affected by a local privilege escalation via wide permissions on CRI directory

containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths /var/lib/containerd,...

EUVD-2014-0096

Malware in sbrugna...

Rakuraku PC Cloud Agent 安全漏洞

Rakuraku PC Cloud Agent is a cloud environment client. A security vulnerability exists in SS1 Ver.13.0.0.40 and earlier versions, Rakuraku PC Cloud Agent Ver.2.1.8 and earlier versions, which stems from incorrect access control. An attacker could use this vulnerability to bypass access restrictio...

SUSE CVE-2019-12439

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations related to XDGRUNTIMEDIR, a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code...

Cisco Webex Teams Windows Client DLL Hijacking Vulnerability

Cisco Webex Teams is a comprehensive communications application designed to provide you with all the necessary tools and the right environment to enhance team collaboration. A DLL hijacking vulnerability exists in the loading mechanism of specific DLLs in Cisco Webex Teams Windows clients...

OPENSUSE-SU-2020:1564-1 Security update for libqt5-qtbase

This update for libqt5-qtbase fixes the following issues: - CVE-2020-17507: Fixed a buffer overflow in XBM parser bsc1176315 - Fixed various issues discovered by fuzzing: - Made handling of XDGRUNTIMEDIR more secure bsc1172515: This update was imported from the SUSE:SLE-15-SP2:Update update proje...

SUSE-SU-2020:2751-1 Security update for libqt5-qtbase

This update for libqt5-qtbase fixes the following issues: - CVE-2020-17507: Fixed a buffer overflow in XBM parser bsc1176315 - Made handling of XDGRUNTIMEDIR more secure bsc1172515...

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR) a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.

...

bubblewrap: temporary directory misuse as mount point

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations related to XDGRUNTIMEDIR, a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code...

DEBIAN-CVE-2019-12439

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations related to XDGRUNTIMEDIR, a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code...

UBUNTU-CVE-2019-12439

bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations related to XDGRUNTIMEDIR, a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code...

CVE-2018-14659

The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GFXATTRIOSTATSDUMPKEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr2' to trigger a state dump and create...

Directory traversal

The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GFXATTRIOSTATSDUMPKEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr2' to trigger a state dump and create...

CVE-2018-14659

The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GFXATTRIOSTATSDUMPKEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr2' to trigger a state dump and create...

DEBIAN-CVE-2018-14659

The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GFXATTRIOSTATSDUMPKEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr2' to trigger a state dump and create...

UBUNTU-CVE-2018-14659

The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GFXATTRIOSTATSDUMPKEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr2' to trigger a state dump and create...

CVE-2018-14659

The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GFXATTRIOSTATSDUMPKEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr2' to trigger a state dump and create...