漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true
Vulnerability Description
Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with `_preserve_symlinks: true` and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. Version 9.11.2 patches the issue.
CVSS Information
N/A
Vulnerability Type
CWE-61
Vulnerability Title
Copier 安全漏洞
Vulnerability Description
Copier是Copier开源的一个用于渲染项目模板的库。 Copier 9.11.2之前版本存在安全漏洞,该漏洞源于使用符号链接和特定设置可能导致写入目标路径之外的任意目录。
CVSS Information
N/A
Vulnerability Type
N/A