CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-8MMW-RG27-GMPP
Vulnerability from github – Published: 2022-05-02 04:00 – Updated: 2025-04-11 03:48The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969.
{
"affected": [],
"aliases": [
"CVE-2009-5081"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-06-30T15:55:00Z",
"severity": "LOW"
},
"details": "The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969.",
"id": "GHSA-8mmw-rg27-gmpp",
"modified": "2025-04-11T03:48:11Z",
"published": "2022-05-02T04:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-5081"
},
{
"type": "WEB",
"url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff"
},
{
"type": "WEB",
"url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff.diff?r1=1.1%3Br2=1.2%3Bf=h"
},
{
"type": "WEB",
"url": "http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff.diff?r1=1.1;r2=1.2;f=h"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2009/08/14/4"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2009/08/14/5"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:086"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8MP2-XQ24-FFH7
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Visual Studio Collector Service Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43603"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:28Z",
"severity": "MODERATE"
},
"details": "Visual Studio Collector Service Denial of Service Vulnerability",
"id": "GHSA-8mp2-xq24-ffh7",
"modified": "2024-10-08T18:33:17Z",
"published": "2024-10-08T18:33:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43603"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43603"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8MPM-Q7MH-8FVH
Vulnerability from github – Published: 2026-03-18 16:09 – Updated: 2026-03-18 16:09Summary
The Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.
Details
Issue 1 - Arbitrary file overwrite via .capgo symlink (login --local)
- Location: src/login.ts
- Behavior: loginInternal(..., { local: true }) performs writeFileSync('.capgo', ...) before validating the API key with verifyUser().
- No checks are performed to prevent writing through a symlink.
- Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.
Issue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)
- Location: src/build/credentials.ts (local path is join(cwd(), '.capgo-credentials.json'))
- Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.
- Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.
Issue 3 - Insecure default permissions for global credentials
- Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)
- Observed permissions after save: -rw-rw-r-- (664)
- Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.
PoC
PoC A: .capgo symlink clobber (writes even when API key invalid)
set -euo pipefail
BASE="/tmp/capgo_cli_poc_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered.txt"
mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q
ln -s "$TARGET" .capgo
# This should fail auth, but still overwrites TARGET
HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 login "INVALID_KEY_SHOULD_FAIL" --local || true
echo "== TARGET content =="
cat "$TARGET"
Expected: On invalid key, nothing is written; .capgo should never follow symlinks. Observed: TARGET contains INVALID_KEY_SHOULD_FAIL.
PoC B: .capgo-credentials.json symlink clobber (no login required)
set -euo pipefail
BASE="/tmp/capgo_creds_symlink_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered_creds.txt"
mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q
ln -s "$TARGET" .capgo-credentials.json
HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 build credentials save \
--local --platform android --appId com.example.app \
--keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true
echo "== TARGET exists and contains JSON written via symlink =="
ls -la "$TARGET" || true
cat "$TARGET" || true
Expected: Refuse to write if destination is symlink; ideally require safe location and permissions. Observed: TARGET is created/overwritten with credentials JSON.
PoC C: global credentials permissions are world-readable
set -euo pipefail
BASE="/tmp/capgo_creds_perm_$(date +%s)"
HOME_SANDBOX="$BASE/home"
mkdir -p "$HOME_SANDBOX"
HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 build credentials save \
--platform android --appId com.example.app \
--keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true
CREDS="$HOME_SANDBOX/.capgo-credentials/credentials.json"
ls -la "$CREDS" || true
stat -c '%a %U:%G %n' "$CREDS" || true
Observed: credentials.json created with mode 664 (-rw-rw-r--).
Impact
- Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).
- This can cause:
developer environment compromise or sabotage (overwriting config files, scripts, env files) accidental or malicious leakage/destruction of secrets
- Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.
- A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.
Suggested remediation
- Do not write .capgo until after API key validation succeeds.
- For all secret/config writes:
refuse symlink destinations (lstat + isSymbolicLink) use safe file creation and enforce permissions (0600 for files; 0700 for directories) write atomically (temp file + rename) after safety checks
- Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@capgo/cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.84.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-377",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T16:09:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer\u2019s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.\n\n### Details\nIssue 1 - Arbitrary file overwrite via .capgo symlink (login --local)\n\n- Location: src/login.ts\n- Behavior: loginInternal(..., { local: true }) performs writeFileSync(\u0027.capgo\u0027, ...) before validating the API key with verifyUser().\n- No checks are performed to prevent writing through a symlink.\n- Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.\n\nIssue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)\n\n- Location: src/build/credentials.ts (local path is join(cwd(), \u0027.capgo-credentials.json\u0027))\n- Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.\n- Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.\n\nIssue 3 - Insecure default permissions for global credentials\n\n- Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)\n- Observed permissions after save: -rw-rw-r-- (664)\n- Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.\n\n### PoC\nPoC A: .capgo symlink clobber (writes even when API key invalid)\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_cli_poc_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nREPO=\"$BASE/repo\"\nTARGET=\"$BASE/clobbered.txt\"\n\nmkdir -p \"$HOME_SANDBOX\" \"$REPO\"\ncd \"$REPO\"\ngit init -q\n\nln -s \"$TARGET\" .capgo\n\n# This should fail auth, but still overwrites TARGET\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 login \"INVALID_KEY_SHOULD_FAIL\" --local || true\n\necho \"== TARGET content ==\"\ncat \"$TARGET\"\n```\n_Expected: On invalid key, nothing is written; .capgo should never follow symlinks.\nObserved: TARGET contains INVALID_KEY_SHOULD_FAIL._\n\nPoC B: .capgo-credentials.json symlink clobber (no login required)\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_creds_symlink_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nREPO=\"$BASE/repo\"\nTARGET=\"$BASE/clobbered_creds.txt\"\n\nmkdir -p \"$HOME_SANDBOX\" \"$REPO\"\ncd \"$REPO\"\ngit init -q\n\nln -s \"$TARGET\" .capgo-credentials.json\n\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 build credentials save \\\n --local --platform android --appId com.example.app \\\n --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true\n\necho \"== TARGET exists and contains JSON written via symlink ==\"\nls -la \"$TARGET\" || true\ncat \"$TARGET\" || true\n```\n_Expected: Refuse to write if destination is symlink; ideally require safe location and permissions.\nObserved: TARGET is created/overwritten with credentials JSON._\n\nPoC C: global credentials permissions are world-readable\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_creds_perm_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nmkdir -p \"$HOME_SANDBOX\"\n\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 build credentials save \\\n --platform android --appId com.example.app \\\n --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true\n\nCREDS=\"$HOME_SANDBOX/.capgo-credentials/credentials.json\"\nls -la \"$CREDS\" || true\nstat -c \u0027%a %U:%G %n\u0027 \"$CREDS\" || true\n```\n_Observed: credentials.json created with mode 664 (-rw-rw-r--)._\n\n### Impact\n\n- Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).\n- This can cause:\n\n\u003edeveloper environment compromise or sabotage (overwriting config files, scripts, env files)\n\u003eaccidental or malicious leakage/destruction of secrets\n\n- Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.\n- A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.\n\n### Suggested remediation\n\n- Do not write .capgo until after API key validation succeeds.\n- For all secret/config writes:\n\n\u003erefuse symlink destinations (lstat + isSymbolicLink)\n\u003euse safe file creation and enforce permissions (0600 for files; 0700 for directories)\n\u003ewrite atomically (temp file + rename) after safety checks\n\n- Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).",
"id": "GHSA-8mpm-q7mh-8fvh",
"modified": "2026-03-18T16:09:42Z",
"published": "2026-03-18T16:09:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-8mpm-q7mh-8fvh"
},
{
"type": "WEB",
"url": "https://github.com/Cap-go/CLI/commit/b8aa5ccbfad2d7f10f3cdbc00910d4a6aab026b2"
},
{
"type": "PACKAGE",
"url": "https://github.com/Cap-go/capgo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)"
}
GHSA-8MXH-558J-W4GM
Vulnerability from github – Published: 2023-08-01 15:30 – Updated: 2024-04-04 06:28A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116.
{
"affected": [],
"aliases": [
"CVE-2023-4053"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-01T15:15:10Z",
"severity": "MODERATE"
},
"details": "A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox \u003c 116.",
"id": "GHSA-8mxh-558j-w4gm",
"modified": "2024-04-04T06:28:34Z",
"published": "2023-08-01T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4053"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1839079"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-29"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-36"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8P37-Q9QQ-HGX8
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-30 03:36Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.
_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.
A subsequent open through the extracted name reads or writes the attacker chosen path.
{
"affected": [],
"aliases": [
"CVE-2026-42496"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T02:16:40Z",
"severity": "CRITICAL"
},
"details": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.\n\n_make_special_file() passes the tar header\u0027s linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.\n\nA subsequent open through the extracted name reads or writes the attacker chosen path.",
"id": "GHSA-8p37-q9qq-hgx8",
"modified": "2026-06-30T03:36:48Z",
"published": "2026-05-26T13:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42496"
},
{
"type": "WEB",
"url": "https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30851"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30852"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30856"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30857"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-42496"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481314"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42496.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42497"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8P8Q-M27V-CR2C
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18mailgo in mgt 2.31 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/mailgo##### temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-4972"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-06T15:55:00Z",
"severity": "MODERATE"
},
"details": "mailgo in mgt 2.31 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/mailgo##### temporary file.",
"id": "GHSA-8p8q-m27v-cr2c",
"modified": "2022-05-17T02:18:31Z",
"published": "2022-05-17T02:18:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4972"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46410"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496434"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/mgt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8PGQ-966C-5F7Q
Vulnerability from github – Published: 2022-05-17 03:52 – Updated: 2022-05-17 03:52lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file under /tmp/esrc/.
{
"affected": [],
"aliases": [
"CVE-2014-3422"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-05-08T10:55:00Z",
"severity": "LOW"
},
"details": "lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file under /tmp/esrc/.",
"id": "GHSA-8pgq-966c-5f7q",
"modified": "2022-05-17T03:52:13Z",
"published": "2022-05-17T03:52:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3422"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2014-0250.html"
},
{
"type": "WEB",
"url": "http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428#8"
},
{
"type": "WEB",
"url": "http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2014/05/07/7"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:117"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8PMQ-VH8M-9XJ5
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-11 18:31Windows Deployment Services Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-21347"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T18:15:33Z",
"severity": "MODERATE"
},
"details": "Windows Deployment Services Denial of Service Vulnerability",
"id": "GHSA-8pmq-vh8m-9xj5",
"modified": "2025-02-11T18:31:38Z",
"published": "2025-02-11T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21347"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21347"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8PV9-VFQJ-Q49W
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44Windows Update Service Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-26866"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Windows Update Service Elevation of Privilege Vulnerability",
"id": "GHSA-8pv9-vfqj-q49w",
"modified": "2022-05-24T17:44:19Z",
"published": "2022-05-24T17:44:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26866"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26866"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-286"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8Q24-HC9H-H952
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. This oversight allows attackers to read arbitrary local files from the victim server.
{
"affected": [],
"aliases": [
"CVE-2024-10986"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:22Z",
"severity": "HIGH"
},
"details": "GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. This oversight allows attackers to read arbitrary local files from the victim server.",
"id": "GHSA-8q24-hc9h-h952",
"modified": "2025-03-20T12:32:41Z",
"published": "2025-03-20T12:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10986"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/db2167f5-f17f-491d-aeec-69ba55bf6427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.