Fluid Attacks Database

Description

diffoscope Path Traversal vulnerability diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	diffoscope	>=0 <256	256
debian 11	diffoscope	=177 \|\| =178 \|\| =179 \|\| =180 \|\| =180~bpo11+1 \|\| =181 \|\| =182 \|\| =183 \|\| =184 \|\| =185 \|\| =185~bpo11+1 \|\| =186 \|\| =186~bpo11+1 \|\| =187 \|\| =187~bpo11+1 \|\| =188 \|\| =188~bpo11+1 \|\| =189 \|\| =189~bpo11+1 \|\| =190 \|\| =191 \|\| =192 \|\| =193 \|\| =194 \|\| =194~bpo11+1 \|\| =195 \|\| =196 \|\| =196~bpo11+1 \|\| =197 \|\| =198 \|\| =199 \|\| =199~bpo11+1 \|\| =200 \|\| =200~bpo11+1 \|\| =201 \|\| =201~bpo11+1 \|\| =202 \|\| =203 \|\| =204 \|\| =205 \|\| =206 \|\| =206~bpo11+1 \|\| =207 \|\| =208 \|\| =209 \|\| =210 \|\| =211 \|\| =211~bpo11+1 \|\| =212 \|\| =213 \|\| =214 \|\| =215 \|\| =216 \|\| =217 \|\| =218 \|\| =219 \|\| =220 \|\| =221 \|\| =221~bpo11+1 \|\| =222 \|\| =223 \|\| =224 \|\| =225 \|\| =226 \|\| =227 \|\| =228 \|\| =229 \|\| =230 \|\| =231 \|\| =232 \|\| =233 \|\| =234 \|\| =235 \|\| =236 \|\| =237 \|\| =238 \|\| =238~bpo11+1 \|\| =239 \|\| =240 \|\| =241 \|\| =242 \|\| =243 \|\| =244 \|\| =245 \|\| =246 \|\| =247 \|\| =248 \|\| =249 \|\| =250 \|\| =251 \|\| =252 \|\| =253 \|\| =254 \|\| =255 \|\| =256 \|\| =257 \|\| =258 \|\| =259 \|\| =260 \|\| =261 \|\| =262 \|\| =263 \|\| =264 \|\| =265 \|\| =266 \|\| =267 \|\| =268 \|\| =269 \|\| =270 \|\| =271 \|\| =272 \|\| =273 \|\| =274 \|\| =275 \|\| =276 \|\| =277 \|\| =278 \|\| =279 \|\| =280 \|\| =281 \|\| =282 \|\| =283 \|\| =284 \|\| =285 \|\| =286 \|\| =287 \|\| =288 \|\| =289 \|\| =290 \|\| =291 \|\| =292 \|\| =293 \|\| =294 \|\| =295 \|\| =296 \|\| =297 \|\| =298 \|\| =299 \|\| =300 \|\| =301 \|\| =302 \|\| =303 \|\| =304 \|\| =305 \|\| =306 \|\| =306~bpo13+1 \|\| =307 \|\| =308 \|\| =309 \|\| =310 \|\| =311 \|\| =312 \|\| =313 \|\| =314 \|\| =315 \|\| =316 \|\| =317	-
debian 12	diffoscope	=240 \|\| =240+deb12u1 \|\| =241 \|\| =242 \|\| =243 \|\| =244 \|\| =245 \|\| =246 \|\| =247 \|\| =248 \|\| =249 \|\| =250 \|\| =251 \|\| =252 \|\| =253 \|\| =254 \|\| =255 \|\| =256 \|\| =257 \|\| =258 \|\| =259 \|\| =260 \|\| =261 \|\| =262 \|\| =263 \|\| =264 \|\| =265 \|\| =266 \|\| =267 \|\| =268 \|\| =269 \|\| =270 \|\| =271 \|\| =272 \|\| =273 \|\| =274 \|\| =275 \|\| =276 \|\| =277 \|\| =278 \|\| =279 \|\| =280 \|\| =281 \|\| =282 \|\| =283 \|\| =284 \|\| =285 \|\| =286 \|\| =287 \|\| =288 \|\| =289 \|\| =290 \|\| =291 \|\| =292 \|\| =293 \|\| =294 \|\| =295 \|\| =296 \|\| =297 \|\| =298 \|\| =299 \|\| =300 \|\| =301 \|\| =302 \|\| =303 \|\| =304 \|\| =305 \|\| =306 \|\| =306~bpo13+1 \|\| =307 \|\| =308 \|\| =309 \|\| =310 \|\| =311 \|\| =312 \|\| =313 \|\| =314 \|\| =315 \|\| =316 \|\| =317	-
debian 13	diffoscope	>=0 <256	256
debian 14	diffoscope	>=0 <256	256

Aliases

1. CVE-2024-257112. NVD-2024-257113. OSV-2024-257114. OSV-DEBIAN-2024-257115. GCVE-2024-257116. SECURITY-TRACKER-CVE-2024-25711

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/diffoscope/PYSEC-2024-41.yaml2. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUNBANAWD6TZH2NRRV4YUIAXEHLUJQ473. https://salsa.debian.org/reproducible-builds/diffoscope4. https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/dfed769904c27d66a14a5903823d9c8c5aae860e5. https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.