-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/cloudflare/cloudflared: CVE-2023-1314 #1652
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
neild
added
the
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
label
Mar 21, 2023
Change https://go.dev/cl/592760 mentions this issue: |
Change https://go.dev/cl/606784 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 20, 2024
- data/reports/GO-2023-1643.yaml - data/reports/GO-2023-1644.yaml - data/reports/GO-2023-1651.yaml - data/reports/GO-2023-1652.yaml - data/reports/GO-2023-1653.yaml - data/reports/GO-2023-1654.yaml - data/reports/GO-2023-1655.yaml - data/reports/GO-2023-1656.yaml - data/reports/GO-2023-1657.yaml - data/reports/GO-2023-1658.yaml - data/reports/GO-2023-1659.yaml - data/reports/GO-2023-1660.yaml - data/reports/GO-2023-1661.yaml - data/reports/GO-2023-1662.yaml - data/reports/GO-2023-1670.yaml - data/reports/GO-2023-1671.yaml - data/reports/GO-2023-1682.yaml - data/reports/GO-2023-1683.yaml - data/reports/GO-2023-1685.yaml - data/reports/GO-2023-1699.yaml Updates #1643 Updates #1644 Updates #1651 Updates #1652 Updates #1653 Updates #1654 Updates #1655 Updates #1656 Updates #1657 Updates #1658 Updates #1659 Updates #1660 Updates #1661 Updates #1662 Updates #1670 Updates #1671 Updates #1682 Updates #1683 Updates #1685 Updates #1699 Change-Id: Iddcfb6c5438e03827049eecbf0a95fae6c078436 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606784 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2023-1314 references github.com/cloudflare/cloudflared, which may be a Go module.
Description:
A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory. An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process. Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised. The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices.
References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: