Cchheang

**Name of the Vulnerable Software and Affected Versions** RustFS versions alpha.13 through alpha.81 **Description** RustFS logs sensitive credential material, including access key, secret key, and session token, to application logs at the INFO level. This results in credentials being recorded in plaintext in log output, potentially accessible to internal or external log consumers, which could lead to compromise of sensitive credentials. The server writes newly generated STS credential information to logs, as demonstrated in log excerpts. An attacker or unauthorized internal user with access to logs could retrieve these credentials and use them to authenticate to RustFS services or perform other unauthorized actions. This issue is classified as an information disclosure issue. **Recommendations** RustFS versions alpha.13 through alpha.81: Upgrade to version alpha.82 or later to resolve this issue. Do not include secrets in log output—redact `secret key`, `session token`, and similar fields. Log only safe identifiers such as non-sensitive IDs.

**Name of the Vulnerable Software and Affected Versions** Signal K Server versions prior to 1.5.0 Signal K Set-System-Time plugin versions prior to 1.5.0 **Description** A command injection issue exists in the Signal K Server and its Set-System-Time plugin. Authenticated users with write permissions can execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this if security is disabled on the Signal K server. This is due to unsafe construction of shell commands when processing `navigation.datetime` values received via WebSocket delta messages. The vulnerability occurs because the `datetime` value is directly interpolated into a shell command without validation, and the command is then executed using `spawn('sh', ['-c', command])`, which interprets shell metacharacters. The plugin may execute with elevated privileges if `sudo` is misconfigured. A proof-of-concept (PoC) demonstrates the ability to create a file (`/tmp/signalk-RCE.txt`) to prove code execution. Successful exploitation can lead to complete system compromise. **Recommendations** Update to Signal K Server version 1.5.0. Update to Signal K Set-System-Time plugin version 1.5.0. Replace shell-based execution with `child process.execFile()` so user-controlled input is passed as arguments rather than interpreted by a shell. Validate that `navigation.datetime` conforms to an expected ISO-8601 format to improve robustness.

**Name of the Vulnerable Software and Affected Versions** Signal K Server versions prior to 2.20.3 **Description** Signal K Server, a server application used in marine environments, contains a path traversal issue in its applicationData API. Authenticated users on Windows systems can potentially read, write, and list arbitrary files and directories on the filesystem. The `validateAppId()` function inadequately validates input, specifically failing to block backslashes (``), which are recognized as directory separators on Windows systems. This allows attackers to bypass the intended applicationData directory restrictions. The vulnerability exists due to the incomplete sanitization of the `appid` parameter within the `validateAppId()` function. The function only checks for forward slashes (`/`) and does not account for backslashes, which, when combined with the `path.join()` function on Windows, enables directory traversal sequences like `......`. A proof-of-concept (PoC) script demonstrates the ability to traverse directory levels and access sensitive files. **Recommendations** Versions prior to 2.20.3: Add backslash validation to the `validateAppId()` function. Versions prior to 2.20.3: Utilize `path.normalize()` and validate that the resolved paths remain within the intended directory.