关键信息 Path Traversal in File Tools Allowing Arbitrary Filesystem Access CVE Number: CVE-2020-XXXXX Summary: A path traversal vulnerability exists within WindSurf's codebase where parsing file tools leads to arbitrary filesystem access. Products Impacted: WindSurf 1.0, 2.0, 3.0 versions CVSS Score: 9.8 CWE Categorization: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Details: The vulnerability is exploited by providing specific commands that include or similar paths. Data Exfiltration from Tool-Assisted Setup CVE Number: CVE-2020-YYYYY Summary: WindSurf's authorized tools can execute instructions containing project files with malicious content, leading to data exfiltration. Products Impacted: WindSurf 1.0, 2.0, 3.0 versions CVSS Score: 7.5 CWE Categorization: CWE-200: Information Exposure Details: The vulnerability is exploited by crafting a malicious XML file and processing it with the tool, which then uploads the file to an attacker-controlled server. Timeline August 14, 2020: Vulnerability discovered internally September 18, 2020: Patch released for users October 17, 2020: Public disclosure