Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[CVE-2021-33896] Path traversal in Dino file transfers

Related Vulnerabilities: CVE-2021-33896  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2021-33896] Path traversal in Dino file transfers

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Dino Team &lt;team () dino im&gt;

Date: Mon, 7 Jun 2021 10:54:03 -0600

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
### Affected software

Dino (Instant Messenger) - https://dino.im/

### Severity

Medium (4.7): AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

### Affected versions
- Release version 0.2.0
- Release version 0.1.1 and earlier
- Nightly version 0.2.0~git113.20210601.1ac16ecd and earlier

### Fixed versions
- Release version 0.2.1
- Release version 0.1.2
- Nightly version 0.2.0~git114.20210607.0c8d25b7

### Description

It was discovered that when a user receives and downloads a file in
Dino, URI-encoded path separators in the file name will be decoded,
allowing an attacker to traverse directories and create arbitrary files
in the context of the user.

This vulnerability does not allow to overwrite or modify existing files
and the attacker cannot control the executable flag of created files.
However, third-party software may be affected by newly created
configuration files, potentially allowing for code execution.

The file name, including path separators, is displayed to the user,
however, long file names are ellipsized in the middle of the file name,
allowing the attacker to hide the malicious path separators, as long as
the resulting file name has sufficient length.

### Advice

All deployments should upgrade to a fixed version or apply the patch
from commit 0c8d25b7a3e7a10a506f1e19b868fe9b0c761495.

### Credits

Many thanks to CTurt (Google) for discovering and reporting this issue.

### Links

- https://dino.im/security/cve-2021-33896/
- https://github.com/dino/dino/commit/0c8d25b7
- https://github.com/dino/dino/releases/tag/v0.2.1
- https://github.com/dino/dino/releases/tag/v0.1.2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33896
- https://nvd.nist.gov/vuln/detail/CVE-2021-33896

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2021-33896] Path traversal in Dino file transfers Dino Team (Jun 07)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started