PT-2018-5196 · Syncthing+1 · Syncthing+1

Calmh

Published

2017-08-09

Updated

2022-05-14

CVE-2017-1000420

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Syncthing versions 0.14.33 and older

Description The issue allows for symlink traversal, resulting in arbitrary file overwrite. This occurs because Syncthing erroneously versions symlinks when they are deleted. If a directory is then created with the same name, a file created in that directory, and the file deleted, it is moved into the symlink target.

Recommendations For Syncthing versions 0.14.33 and older, update to a version newer than 0.14.33 to resolve the issue. As a temporary workaround, consider restricting the creation of symlinks and directories with the same name to minimize the risk of exploitation.

Fix

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

ALT-PU-2017-2004

CVE-2017-1000420

GHSA-28XP-G7F6-7MHF

Affected Products

Alt Linux

Syncthing

PT-2018-5196 · Syncthing+1 · Syncthing+1

CVE-2017-1000420

Weakness Enumeration

Related Identifiers

Affected Products

References · 14