First published: Sun Feb 11 2024(Updated: )
diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
pip/diffoscope | >=0<256 | 256 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.