![]() ![]() This could lead to important files being overwritten anywhere the Gradle process has write permissions. ![]() * When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. # Impact This is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip. ![]() There are no known workarounds for this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. It is unlikely that this would go unnoticed. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. Gradle is a build tool with a focus on build automation and support for multi-language development. ![]() It is not clear whether a fix exists.Īrtifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). The namespace of this custom resource would be user's control and may have permission to correct it. The charging interface may expose resource information. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). Sealos is a Cloud Operating System designed for managing cloud-native applications.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |