GHSA-8jxr-mccc-mwg8

Опубликовано: 02 окт. 2024

Источник: github

Github: Прошло ревью

CVSS4: 7.1

CVSS3: 6.5

Описание

OpenC3 Path Traversal via screen controller (GHSL-2024-127)

Summary

A path traversal vulnerability inside of LocalMode's open_local_file method allows an authenticated user with adequate permissions to download any .txt via the ScreensController#show on the web server COSMOS is running on (depending on the file permissions).

Note: This CVE affects all OpenC3 COSMOS Editions

Impact

This issue may lead to Information Disclosure.

Ссылки

Пакеты

Наименование

openc3

rubygems

Затронутые версииВерсия исправления

< 5.19.0

5.19.0

Наименование

openc3

pip

Затронутые версииВерсия исправления

< 5.19.0

5.19.0

EPSS

Процентиль: 75%

0.00902

Низкий

7.1 High

CVSS4

6.5 Medium

CVSS3

CVE ID

CVE-2024-46977

Дефекты

CWE-22

Связанные уязвимости

CVE-2024-46977

CVSS3: 6.5

nvd

больше 1 года назад

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. A path traversal vulnerability inside of LocalMode's open_local_file method allows an authenticated user with adequate permissions to download any .txt via the ScreensController#show on the web server COSMOS is running on (depending on the file permissions). This vulnerability is fixed in 5.19.0.

EPSS

Процентиль: 75%

0.00902

Низкий

7.1 High

CVSS4

6.5 Medium

CVSS3

CVE ID

CVE-2024-46977

Дефекты

CWE-22