Skip to content

diffoscope Path Traversal vulnerability

Moderate severity GitHub Reviewed Published Feb 27, 2024 to the GitHub Advisory Database • Updated Feb 27, 2024

Package

pip diffoscope (pip)

Affected versions

>= 0, < 256

Patched versions

256

Description

diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.

References

Published by the National Vulnerability Database Feb 27, 2024
Published to the GitHub Advisory Database Feb 27, 2024
Reviewed Feb 27, 2024
Last updated Feb 27, 2024

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(86th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2024-25711

GHSA ID

GHSA-33w6-hvmq-gh4x

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.