PT-2025-38260 · Dragonfly · Dragonfly

Gaius-Qi

Publicado

2025-09-17

Atualizado

2025-10-27

CVE-2025-59349

CVSS v4.0

5.1

Média

Vetor

AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0

Description Dragonfly2 uses the os.MkdirAll function to create directory paths with specific access permissions. This function does not perform permission checks if a directory path already exists, allowing a local attacker to create a directory with broad permissions before Dragonfly2 does so, potentially enabling file tampering. An attacker with unprivileged access can introduce directories/paths with 0777 permissions before Dragonfly2 creates them, allowing deletion and forging of files in that directory.

Recommendations Upgrade to version 2.1.0 or later.

Exploit

Correção

Incorrect Permission

Incorrect Default Permissions

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-732CWE-276

Identificadores relacionados

CVE-2025-59349

GHSA-8425-8R2F-MRV6

GO-2025-3964

OPENSUSE-SU-2025:15576-1

SUSE-SU-2025:3799-1

Produtos afetados

Dragonfly

PT-2025-38260 · Dragonfly · Dragonfly

CVE-2025-59349

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 47