Описание
URLs containing percent-encoded slashes (/ or \) can trick wcurl into
saving the output file outside of the current directory without the user
explicitly asking for it.
This flaw only affects the wcurl command line tool.
A flaw was found in wcurl. This vulnerability allows a remote attacker to manipulate the location where output files are saved. By crafting a malicious URL with percent-encoded slashes, the attacker can trick the wcurl command-line tool into writing files outside of the intended directory. This could lead to unauthorized file placement on the system.
Отчет
Note: this vulnerability only affects the wcurl command line tool.
Меры по смягчению последствий
Some potential mitigations to limit the risk of this vulnerability include:
- Explicitly choose an output filename with
-o/-O/--output - Disable percent-decoding for output filenames with
--no-decode-filename.
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl i ...
EPSS
6.5 Medium
CVSS3