Ddiss

**Name of the Vulnerable Software and Affected Versions** Open-iSCSI tcmu-runner versions 1.3.x through 1.5.2 **Description** The issue allows remote attackers to read or write files via directory traversal in an XCOPY request, due to a lack of check for transport-layer restrictions in the xcopy locate udev function in tcmur cmd handler.c. This can occur if an attacker has access to one iSCSI LUN, potentially over a network. **Recommendations** For Open-iSCSI tcmu-runner versions 1.3.x through 1.5.2, consider restricting access to the xcopy locate udev function in tcmur cmd handler.c until a patch is available. As a temporary workaround, restrict the use of XCOPY requests to minimize the risk of exploitation.