CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-F4JG-5WJ8-PR9P
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2025-01-27 18:31An arbitrary file deletion vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This vulnerability requires local login/console access to the PaperCut NG/MF server (eg: member of a domain admin group).
{
"affected": [],
"aliases": [
"CVE-2024-3037"
],
"database_specific": {
"cwe_ids": [
"CWE-552",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:39:48Z",
"severity": "MODERATE"
},
"details": "An arbitrary file deletion vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This vulnerability requires local login/console access to the PaperCut NG/MF server (eg: member of a domain admin group).\n\n",
"id": "GHSA-f4jg-5wj8-pr9p",
"modified": "2025-01-27T18:31:59Z",
"published": "2024-05-14T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3037"
},
{
"type": "WEB",
"url": "https://www.papercut.com/kb/Main/security-bulletin-may-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F4QW-WCQM-7C8G
Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-03-26 21:31Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive information including configuration files, credentials, and system data stored on the device.
{
"affected": [],
"aliases": [
"CVE-2021-4474"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T20:16:07Z",
"severity": "MODERATE"
},
"details": "Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive information including configuration files, credentials, and system data stored on the device.",
"id": "GHSA-f4qw-wcqm-7c8g",
"modified": "2026-03-26T21:31:26Z",
"published": "2026-03-26T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4474"
},
{
"type": "WEB",
"url": "https://support.ruckuswireless.com/security_bulletins/306"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/ruckus-ap-cli-arbitrary-file-read-allows-authenticated-remote-file-access"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F5F7-6478-QM6P
Vulnerability from github – Published: 2021-11-01 17:32 – Updated: 2021-11-01 17:26A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.20.0"
},
{
"fixed": "1.20.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.21.0"
},
{
"fixed": "1.21.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.22.0"
},
{
"fixed": "1.22.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25741"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-01T17:26:17Z",
"nvd_published_at": "2021-09-20T17:15:00Z",
"severity": "HIGH"
},
"details": "A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files \u0026 directories outside of the volume, including on the host filesystem.",
"id": "GHSA-f5f7-6478-qm6p",
"modified": "2021-11-01T17:26:17Z",
"published": "2021-11-01T17:32:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-f5f7-6478-qm6p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25741"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/104980"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/nyfdhK24H7s"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211008-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Files or Directories Accessible to External Parties in kubernetes"
}
GHSA-F5JQ-F6J5-W2C3
Vulnerability from github – Published: 2023-05-09 15:30 – Updated: 2024-04-04 03:55A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2.0 < V2.1), SIMATIC Cloud Connect 7 CC716 (All versions >= V2.0 < V2.1). The export endpoint discloses some undocumented files. This could allow an unauthenticated remote attacker to gain access to additional information resources.
{
"affected": [],
"aliases": [
"CVE-2023-29107"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-09T13:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions \u003e= V2.0 \u003c V2.1), SIMATIC Cloud Connect 7 CC716 (All versions \u003e= V2.0 \u003c V2.1). The export endpoint discloses some undocumented files. This could allow an unauthenticated remote attacker to gain access to additional information resources.",
"id": "GHSA-f5jq-f6j5-w2c3",
"modified": "2024-04-04T03:55:22Z",
"published": "2023-05-09T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29107"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-555292.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F5P4-P5Q5-JV3H
Vulnerability from github – Published: 2025-10-28 17:49 – Updated: 2025-11-05 22:11Summary
A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the secure persistent volume feature. The guest will open the volume and write secret data using a volume key known to the attacker.
LUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:
- Opens (cryptsetup open) without error using any passphrase or token
- Records all writes in plaintext (or ciphertext with an attacker-known key)
Details
Contrast uses cryptsetup to setup secure persistent volumes, using the secret seed as key for the cryptsetup encryption. To do so the Contrast Initializer will invoke the cryptsetup CLI. If the device provided by Kubernetes is a identified as cryptsetup device, the Initializer assumes a pod restart happened and the device was previously encrypted with the secret seed. The Initializer will try to open the device, and assume it is protected if the operation succeeds. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.
Cryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the cipher_null-ecb algorithm in the keyslot encryption field.
Impact
Using a maliciously crafted cryptsetup device, an attacker can read confidential data that was written to the persistent volume that should have been protected by encryption.
Notice that Contrast's persistent volumes weren't integrity protected, so the integrity impact of this attack isn't considered.
Patches
A partial fix landed in cryptsetup version 2.8.1, disabling null ciphers in keyslots when the user passphrase is nonempty. Contrast shipped this cryptsetup version shortly after it has been released upstream, in Contrast version v1.12.1.
However, LUKS header parsing and interpretation remains a large attack surface. Attackers may still be able to modify LUKS headers in other ways, such as triggering automatic reencryption or downgrading to weak ciphers. As a long term hardening solution, LUKS disks is encrypted in detached header mode. The detached header resides in a tmpfs file inside guest RAM, and is checked before it is used to open the device. This has been implemented in #1731 and released as part of Contrast v1.13.0.
In addition, we added integrity protection for secure persistent storage as a new feature in #1734, which was also shipped as part of v1.13.0.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/edgelesssys/contrast"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-28T17:49:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the [secure persistent volume](https://docs.edgeless.systems/contrast/howto/encrypted-storage) feature. The guest will open the volume and write secret data using a volume key known to the attacker. \n\nLUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:\n\n- Opens (cryptsetup open) without error using any passphrase or token\n- Records all writes in plaintext (or ciphertext with an attacker-known key)\n\n### Details\n\nContrast uses cryptsetup to setup secure persistent volumes, using the secret seed as key for the cryptsetup encryption. To do so the Contrast Initializer will invoke the `cryptsetup` CLI. If the device provided by Kubernetes is a identified as cryptsetup device, the Initializer assumes a pod restart happened and the device was previously encrypted with the secret seed. The Initializer will try to open the device, and assume it is protected if the operation succeeds. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.\n\nCryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the `cipher_null-ecb` algorithm in the keyslot `encryption` field.\n\n### Impact\n\nUsing a maliciously crafted cryptsetup device, an attacker can read confidential data that was written to the persistent volume that should have been protected by encryption.\n\nNotice that Contrast\u0027s persistent volumes weren\u0027t integrity protected, so the integrity impact of this attack isn\u0027t considered.\n\n### Patches\n\nA partial fix landed in [cryptsetup version 2.8.1](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/docs/v2.8.1-ReleaseNotes#L14), disabling null ciphers in keyslots when the user passphrase is nonempty. Contrast shipped this cryptsetup version shortly after it has been released upstream, in [Contrast version v1.12.1](https://github.com/edgelesssys/contrast/releases/tag/v1.12.1).\n\nHowever, LUKS header parsing and interpretation remains a large attack surface. Attackers may still be able to modify LUKS headers in other ways, such as triggering automatic reencryption or downgrading to weak ciphers. As a long term hardening solution, LUKS disks is encrypted in detached header mode. The detached header resides in a tmpfs file inside guest RAM, and is checked before it is used to open the device. This has been implemented in [#1731](https://github.com/edgelesssys/contrast/pull/1731) and released as part of [Contrast v1.13.0](https://github.com/edgelesssys/contrast/releases/tag/v1.13.0).\n\nIn addition, we added integrity protection for secure persistent storage as a new feature in [#1734](https://github.com/edgelesssys/contrast/pull/1734), which was also shipped as part of [v1.13.0](https://github.com/edgelesssys/contrast/releases/tag/v1.13.0).",
"id": "GHSA-f5p4-p5q5-jv3h",
"modified": "2025-11-05T22:11:22Z",
"published": "2025-10-28T17:49:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-f5p4-p5q5-jv3h"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/pull/1731"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/commit/2252a231d570c2dce10a33660452b0bfc3c43958"
},
{
"type": "PACKAGE",
"url": "https://github.com/edgelesssys/contrast"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4078"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Contrast has insecure LUKS2 persistent storage partitions may be opened and used"
}
GHSA-F73R-7G7H-494M
Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
{
"affected": [],
"aliases": [
"CVE-2025-1042"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T15:15:16Z",
"severity": "MODERATE"
},
"details": "An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.",
"id": "GHSA-f73r-7g7h-494m",
"modified": "2025-02-12T15:32:02Z",
"published": "2025-02-12T15:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1042"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2886976"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/50849943"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F74H-HVPW-9XWM
Vulnerability from github – Published: 2024-11-20 09:32 – Updated: 2026-02-23 12:31Local File Inclusion vulnerability in M-Files Server in versions before 24.11 (excluding 24.8 SR1, 24.2 SR3 and 23.8 SR7) allows an authenticated user to read server local files of a limited set of filetypes via document preview.
{
"affected": [],
"aliases": [
"CVE-2024-10126"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-20T09:15:03Z",
"severity": "MODERATE"
},
"details": "Local File Inclusion vulnerability in M-Files Server in versions before 24.11 (excluding 24.8 SR1, 24.2 SR3 and 23.8 SR7) allows an authenticated user to read server local files of a limited set of filetypes via document preview.",
"id": "GHSA-f74h-hvpw-9xwm",
"modified": "2026-02-23T12:31:29Z",
"published": "2024-11-20T09:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10126"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2024-10126"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/CVE-2024-10126"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F7QW-JJ9C-RPQ9
Vulnerability from github – Published: 2023-05-31 23:38 – Updated: 2023-05-31 23:38Note
The official templates of Lima, and the well-known third party products (Colima, Rancher Desktop, and Finch) are unlikely to be affected by this issue.
Impact
A virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is mounted from the host.
To exploit this issue, the attacker has to embed the target file path (an absolute or a relative path from the instance directory) in a malicious disk image, as the qcow2 (or vmdk) backing file path string.
As Lima refuses to run as the root, it is practically impossible for the attacker to read the entire host disk via /dev/rdiskN.
Also, practically, the attacker cannot read at least the first 512 bytes (MBR) of the target file.
Patches
Patched in Lima v0.16.0, by prohibiting using a backing file path in the VM base image.
Workarounds
Do not use an untrusted disk image.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lima-vm/lima"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32684"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-31T23:38:28Z",
"nvd_published_at": "2023-05-30T18:15:10Z",
"severity": "LOW"
},
"details": "\u003e **Note**\n\u003e\n\u003e The official templates of Lima, and the well-known third party products (Colima, Rancher Desktop, and Finch) are *unlikely* to be affected by this issue.\n\n### Impact\nA virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is mounted from the host.\n\nTo exploit this issue, the attacker has to embed the target file path (an absolute or a relative path from the instance directory) in a malicious disk image, as the [qcow2 (or vmdk) backing file path string](https://gitlab.com/qemu-project/qemu/-/blob/v8.0.0/docs/interop/qcow2.txt#L23-L34).\nAs Lima refuses to run as the root, it is practically impossible for the attacker to read the entire host disk via `/dev/rdiskN`.\nAlso, practically, the attacker cannot read at least the first 512 bytes (MBR) of the target file.\n\n### Patches\nPatched in Lima v0.16.0, by prohibiting using a backing file path in the VM base image.\n\n### Workarounds\nDo not use an untrusted disk image.",
"id": "GHSA-f7qw-jj9c-rpq9",
"modified": "2023-05-31T23:38:28Z",
"published": "2023-05-31T23:38:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lima-vm/lima/security/advisories/GHSA-f7qw-jj9c-rpq9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32684"
},
{
"type": "WEB",
"url": "https://github.com/lima-vm/lima/commit/01dbd4d9cabe692afa4517be3995771f0ebb38a5"
},
{
"type": "PACKAGE",
"url": "https://github.com/lima-vm/lima"
},
{
"type": "WEB",
"url": "https://github.com/lima-vm/lima/releases/tag/v0.16.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "In Lima, a malicious disk image could read a single file on the host filesystem as a qcow2/vmdk backing file"
}
GHSA-F97G-94HP-59H9
Vulnerability from github – Published: 2025-08-03 00:30 – Updated: 2025-08-03 00:30NVIDIA Installer for Windows contains a vulnerability where an attacker may be able to escalate privileges. A successful exploit of this vulnerability may lead to escalation of privileges, denial of service, code execution, information disclosure and data tampering.
{
"affected": [],
"aliases": [
"CVE-2025-23276"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-02T22:15:44Z",
"severity": "HIGH"
},
"details": "NVIDIA Installer for Windows contains a vulnerability where an attacker may be able to escalate privileges. A successful exploit of this vulnerability may lead to escalation of privileges, denial of service, code execution, information disclosure and data tampering.",
"id": "GHSA-f97g-94hp-59h9",
"modified": "2025-08-03T00:30:23Z",
"published": "2025-08-03T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23276"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5670"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F9MQ-JPH6-9MHM
Vulnerability from github – Published: 2020-07-07 00:01 – Updated: 2021-01-07 23:48Impact
The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.
Workarounds
Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.
Fixed Versions
9.0.0-beta.218.2.47.2.4
For more information
If you have any questions or comments about this advisory: * Email us at security@electronjs.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-4075"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-06T23:54:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThe vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.\n\n### Workarounds\nEnsure you are calling `event.preventDefault()` on all [`new-window`](https://electronjs.org/docs/api/web-contents#event-new-window) events where the `url` or `options` is not something you expect.\n\n### Fixed Versions\n* `9.0.0-beta.21`\n* `8.2.4`\n* `7.2.4`\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@electronjs.org](mailto:security@electronjs.org)",
"id": "GHSA-f9mq-jph6-9mhm",
"modified": "2021-01-07T23:48:36Z",
"published": "2020-07-07T00:01:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-f9mq-jph6-9mhm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4075"
},
{
"type": "WEB",
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary file read via window-open IPC in Electron"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.