CVE: CVE-2023-3431 - Type: Improper Access Control - Severity: Medium (5.3) - Affected Version: v1.2023.8 - Status: Fixed Description: - The online server's default setting of disables local file access through . However, other features like can still access local files. This poses a risk since often runs in its default configuration. - A Proof of Concept is provided using a Docker run command and a JSON file to exploit this vulnerability, which allows reading local JSON files and confirming the existence of files. Timeline: - The report was processed and the plantuml team was contacted within 24 hours. - A GitHub Issue was raised. - A member of the plantuml team was contacted. - The maintainer of plantuml/plantuml acknowledged the report. - The vulnerability was validated by PlantUML. - The fix bounty is now up for grabs. - The researcher's credibility increased (+7). - The vulnerability was marked as fixed in 1.2023.9 with commit . - The fix bounty has been dropped. - The vulnerability has now been published.