Description

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`. The attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.

INFO

Published Date :

2024-06-24T17:36:21.827Z

Last Modified :

2024-08-02T22:01:26.011Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2023-49793 vulnerability.

Vendors Products
Ericsson
  • Codechecker
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2023-49793.

URL Resource
https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a cve-icon cve-icon cve-icon
https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact