CVE-2023-2110

Опубликовано: 19 авг. 2023

Источник: nvd

CVSS3: 8.2

CVSS3: 7.1

EPSS Низкий

Описание

Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.

Ссылки

https://obsidian.md/changelog/2023-05-03-desktop-v1.2.8/
Release Notes
https://starlabs.sg/advisories/23/23-2110/
Exploit
Mitigation
Third Party Advisory
https://obsidian.md/changelog/2023-05-03-desktop-v1.2.8/
Release Notes
https://starlabs.sg/advisories/23/23-2110/
Exploit
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:obsidian:obsidian:*:*:*:*:*:*:*:*

Версия до 1.2.8 (исключая)

Одно из

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

EPSS

Процентиль: 29%

0.00103

Низкий

8.2 High

CVSS3

7.1 High

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-gpj7-f5cp-g2m9

CVSS3: 8.2

github

больше 2 лет назад

Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.

EPSS

Процентиль: 29%

0.00103

Низкий

8.2 High

CVSS3

7.1 High

CVSS3

Дефекты

CWE-22