Lucene search

Veracode Vulnerability DatabaseVERACODE:46895

HistoryMay 14, 2024 - 8:21 a.m.

Arbitrary File Read

2024-05-1408:21:42

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

unsafe handling

symbolic links

unpacking routine

attackers

arbitrary locations

designated target folder

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

7.1

Confidence

High

EPSS

Percentile

9.0%

JSON

github.com/dotmesh-io/dotmesh is vulnerable to Arbitrary File Read. The vulnerability is due to the unsafe handling of symbolic links in an unpacking routine, allowing attackers to read and/or write to arbitrary locations outside the designated target folder.

References

github.com/cyphar/filepath-securejoin/commit/e9be3976a1163d89de43dd47288e47fa753dac82

github.com/dotmesh-io/dotmesh/blob/master/pkg/archiver/tar.go#L255

securitylab.github.com/advisories/GHSL-2020-254-zipslip-dotmesh/

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

7.1

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for VERACODE:46895