Headline
GHSA-8jxr-mccc-mwg8: OpenC3 Path Traversal via screen controller (`GHSL-2024-127`)
Summary
A path traversal vulnerability inside of LocalMode
's open_local_file
method allows an authenticated user with adequate permissions to download any .txt
via the ScreensController#show
on the web server COSMOS is running on (depending on the file permissions).
Note: This CVE affects all OpenC3 COSMOS Editions
Impact
This issue may lead to Information Disclosure.
NOTE: The complete advisory with much more information is added as comment.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-46977
OpenC3 Path Traversal via screen controller (`GHSL-2024-127`)
High severity GitHub Reviewed Published Oct 2, 2024 in OpenC3/cosmos
Package
Affected versions
< 5.19.0
Summary
A path traversal vulnerability inside of LocalMode’s open_local_file method allows an authenticated user with adequate permissions to download any .txt via the ScreensController#show on the web server COSMOS is running on (depending on the file permissions).
Note: This CVE affects all OpenC3 COSMOS Editions
Impact
This issue may lead to Information Disclosure.
NOTE: The complete advisory with much more information is added as comment.
References
- GHSA-8jxr-mccc-mwg8
- OpenC3/cosmos@a34e61a
Published to the GitHub Advisory Database
Oct 2, 2024