漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add
Vulnerability Description
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user — including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Vulnerability Title
Dokku 后置链接漏洞
Vulnerability Description
Dokku Dokku是Dokku团队的一个云平台部署工具。 Dokku 0.38.2之前版本存在后置链接漏洞,该漏洞源于git:from-archive和certs:add命令在处理用户提供的tar/zip存档时,未清理成员路径或阻止符号链接遍历,攻击者可利用该漏洞在dokku用户可写位置写入任意文件,包括覆盖~/.ssh/authorized_keys以获取不受限制的shell访问权限。
CVSS Information
N/A
Vulnerability Type
N/A