Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Assemblyline 4 Service Client: Arbitrary Write through path traversal in Client code
Vulnerability Description
The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.
CVSS Information
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Vulnerability Type
相对路径遍历
Vulnerability Title
Assemblyline 4 Service Client 安全漏洞
Vulnerability Description
Assemblyline 4 Service Client是Canadian Centre for Cyber Security开源的一个在Assemblyline 4中发布服务结果的服务客户端。 Assemblyline 4 Service Client 4.6.1.dev138之前版本存在安全漏洞,该漏洞源于直接使用服务端返回的SHA-256值作为本地文件名,可能导致路径遍历攻击。
CVSS Information
N/A
Vulnerability Type
N/A