PT-2024-21107 · Unknown+1 · Diffoscope+1

Published

2024-02-11

Updated

2024-06-15

CVE-2024-25711

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions diffoscope versions prior to 256

Description The issue allows directory traversal via an embedded filename in a GPG file, potentially disclosing contents of any file, such as ../.ssh/id rsa, to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.

Recommendations For versions prior to 256, update to version 256 or later to resolve the issue. As a temporary workaround, consider disabling the use of embedded filenames in GPG files to minimize the risk of exploitation. Restrict access to sensitive files and directories to prevent potential disclosure of their contents.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2024-25711

GHSA-33W6-HVMQ-GH4X

OPENSUSE-SU-2024:13792-1

PYSEC-2024-41

Affected Products

Debian

Diffoscope

PT-2024-21107 · Unknown+1 · Diffoscope+1

CVE-2024-25711

Weakness Enumeration

Related Identifiers

Affected Products

References · 20