Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Open OnDemand allowlist bypass using symlinks in directory downloads (TOCTOU)
Vulnerability Description
Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
CWE-61
Vulnerability Title
Open OnDemand 安全漏洞
Vulnerability Description
Open OnDemand是Ohio Supercomputer Center开源的一个通过Web实现开放式交互式HPC的软件。 Open OnDemand 4.0.8之前版本和3.1.16之前版本存在安全漏洞,该漏洞源于TOCTOU攻击,可能导致访问OOD_ALLOWLIST之外的文件。
CVSS Information
N/A
Vulnerability Type
N/A