PT-2024-34887 · Unknown+1 · Cap-Async-Std+2
Nathaniel-Daniel
·
Published
2024-11-05
·
Updated
2024-11-06
·
CVE-2024-51756
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
cap-std versions prior to 3.4.1
cap-primitives versions prior to 3.4.1
cap-async-std versions prior to 3.4.1
Description
The cap-std project's filesystem sandbox implementation on Windows has a flaw that allows untrusted filesystem paths to bypass the sandbox and access devices through special device filenames with superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. This can provide access to peripheral devices connected to the computer, or network resources mapped to those devices, including modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports.
Recommendations
For cap-std versions prior to 3.4.1, upgrade to version 3.4.1 or later.
For cap-primitives versions prior to 3.4.1, upgrade to version 3.4.1 or later.
For cap-async-std versions prior to 3.4.1, upgrade to version 3.4.1 or later.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cap-Async-Std
Cap-Primitives
Cap-Std