CVE-2020-11498

Name of the Vulnerable Software and Affected Versions Slack Nebula versions 1.1.0 and earlier

Description The issue allows a low-privileged attacker to execute code in the context of the root user via tun darwin.go or tun windows.go. A user can also use Nebula to execute arbitrary code in the user's own context, for example, for user-level persistence or to bypass security controls. The vendor notes that this requires a high degree of access and other preconditions that are tough to achieve.

Recommendations For versions 1.1.0 and earlier, update to a version that fixes the relative path vulnerability. As a temporary workaround, consider restricting access to tun darwin.go and tun windows.go to minimize the risk of exploitation.