First published: Wed Oct 02 2024(Updated: )
### Summary A path traversal vulnerability inside of `LocalMode`'s `open_local_file` method allows an authenticated user with adequate permissions to download any `.txt` via the `ScreensController#show` on the web server COSMOS is running on (depending on the file permissions). Note: This CVE affects all OpenC3 COSMOS Editions ### Impact This issue may lead to Information Disclosure. **NOTE:** The complete advisory with much more information is added as [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8#advisory-comment-104903).
Affected Software | Affected Version | How to fix |
---|---|---|
pip/openc3 | <5.19.0 | 5.19.0 |
rubygems/openc3 | <5.19.0 | 5.19.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.