Skip to content

5.3.0 - Security patch
Compare
Choose a tag to compare
@Webklex Webklex released this 20 Jun 11:44
· 48 commits to master since this release
5.3.0
5c45dc2

Fixed

  • Potential RCE through path traversal fixed #414 (special thanks @angelej)

Security Impact and Mitigation

Impacted are all versions below v5.3.0.
If possible, update to >= v5.3.0 as soon as possible. Impacted was the Attachment::save
method which could be used to write files to the local filesystem. The path was not
properly sanitized and could be used to write files to arbitrary locations.

However, the Attachment::save method is not used by default and has to be called
manually. If you are using this method without providing a sanitized path, you are
affected by this vulnerability.
If you are not using this method or are providing a sanitized path, you are not affected
by this vulnerability and no immediate action is required.

If you have any questions, please feel welcome to join this issue: #416

Timeline

  • 17.06.23 21:30: Vulnerability reported
  • 18.06.23 19:14: Vulnerability confirmed
  • 19.06.23 18:41: Vulnerability fixed via PR #414
  • 20.06.23 13:45: Security patch released

Contributors

angelej
Assets 2
Loading