GHSA-8jxr-mccc-mwg8

Source

https://github.com/advisories/GHSA-8jxr-mccc-mwg8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-8jxr-mccc-mwg8/GHSA-8jxr-mccc-mwg8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8jxr-mccc-mwg8

Aliases

Published

2024-10-02T19:29:32Z

Modified

2024-10-31T14:00:54.475406Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenC3 Path Traversal via screen controller (`GHSL-2024-127`)

Details

Summary

A path traversal vulnerability inside of LocalMode's open_local_file method allows an authenticated user with adequate permissions to download any .txt via the ScreensController#show on the web server COSMOS is running on (depending on the file permissions).

Note: This CVE affects all OpenC3 COSMOS Editions

Impact

This issue may lead to Information Disclosure.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2024-10-02T20:15:11Z",
    "github_reviewed_at": "2024-10-02T19:29:32Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

RubyGems / openc3

Package

Name: openc3
Purl: pkg:gem/openc3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.0

Affected versions

5.*

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.1.0

5.1.1

5.2.0

5.3.0

5.4.0

5.4.1

5.4.2

5.4.3.pre.beta0

5.5.0.pre.beta0

5.5.0

5.5.1

5.5.2.pre.beta0

5.5.2

5.6.0

5.6.1

5.7.0

5.7.2

5.8.0

5.8.1

5.9.0

5.9.1

5.10.0

5.10.1

5.11.0

5.11.1

5.11.2

5.11.3

5.12.0

5.13.0

5.14.0

5.14.1

5.14.2

5.15.0

5.15.1

5.15.2

5.16.0

5.16.1

5.16.2

5.17.0

5.17.1

5.18.0

PyPI / openc3