CVE-2017-1000420

Name of the Vulnerable Software and Affected Versions Syncthing versions 0.14.33 and older

Description The issue allows for symlink traversal, resulting in arbitrary file overwrite. This occurs because Syncthing erroneously versions symlinks when they are deleted. If a directory is then created with the same name, a file created in that directory, and the file deleted, it is moved into the symlink target.

Recommendations For Syncthing versions 0.14.33 and older, update to a version newer than 0.14.33 to resolve the issue. As a temporary workaround, consider restricting the creation of symlinks and directories with the same name to minimize the risk of exploitation.