CVE-2024-25711 — Path Traversal in Builds Diffoscope

CWE-22 — Path Traversal6 documents5 sources

Severity

7.5HIGHNVD

EPSS

5.3%

top 10.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Reproducible Builds Diffoscope Fedoraproject Fedora

Timeline

PublishedFeb 27

Description

diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDreproducible_builds/diffoscope< 256

▶PyPIreproducible_builds/diffoscope< 256

▶Debianreproducible_builds/diffoscope< 256+1

Also affects: Fedora 39

Patches

Patch: salsa.debian.org ↗Patch: salsa.debian.org ↗

🔴Vulnerability Details

OSV

CVE-2024-25711: diffoscope before 256 allows directory traversal via an embedded filename in a GPG file↗2024-02-27

▶

OSV

diffoscope Path Traversal vulnerability↗2024-02-27

▶

GHSA

diffoscope Path Traversal vulnerability↗2024-02-27

▶

CVEList

CVE-2024-25711: diffoscope before 256 allows directory traversal via an embedded filename in a GPG file↗2024-02-11

▶

📋Vendor Advisories

Debian

CVE-2024-25711: diffoscope - diffoscope before 256 allows directory traversal via an embedded filename in a G...↗2024

▶