CVE-2024-46977

Name of the Vulnerable Software and Affected Versions OpenC3 COSMOS versions prior to 5.19.0

Description A path traversal vulnerability inside of LocalMode's open local file method allows an authenticated user with adequate permissions to download any .txt via the ScreensController#show on the web server COSMOS is running on, depending on the file permissions. This issue may lead to Information Disclosure.

Recommendations For versions prior to 5.19.0, update to version 5.19.0 to resolve the issue. As a temporary workaround, consider restricting access to the ScreensController#show endpoint or limiting the permissions of authenticated users to minimize the risk of exploitation.