CVE-2020-35883

Name of the Vulnerable Software and Affected Versions mozwire crate through 2020-08-18

Description An issue in the mozwire crate allows a ../ directory-traversal situation, enabling the overwriting of local files that have .conf at the end of the filename. This occurs because the client software downloads a list of servers from Mozilla's servers and creates local files named after the hostname field in the JSON document without verifying the content of the string, which could include '../' and lead to path traversal. An attacker in control of Mozilla's servers could exploit this to overwrite or create local files named .conf.

Recommendations For mozwire crate through 2020-08-18, the flaw was corrected by sanitizing the hostname field, implying that updating to a version where this fix is applied would resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.