GHSA-pf5v-pqfv-x8jj

Suggest an improvement
Source
https://github.com/advisories/GHSA-pf5v-pqfv-x8jj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-pf5v-pqfv-x8jj/GHSA-pf5v-pqfv-x8jj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pf5v-pqfv-x8jj
Aliases
Published
2024-10-14T21:16:12Z
Modified
2025-05-16T22:32:51.480971Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenCanary Executes Commands From Potentially Writable Config File
Details

Impact

OpenCanary directly executed commands taken from its config file. Where the config file is stored in an unprivileged user directory but the daemon is executed by root, it’s possible for the unprivileged user to change the config file and escalate permissions when root later runs the daemon.

Thanks to the folks at Whirlylabs for finding and fixing this.

Patches

Upgrade to 0.9.4 or higher.

Database specific
{
    "nvd_published_at": "2024-10-14T21:15:12Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-14T21:16:12Z"
}
References

Affected packages

PyPI / opencanary

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.5

Affected versions

0.*

0.2
0.3
0.3.1
0.3.2
0.4
0.5
0.5.1
0.5.2
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.7.1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4