CVE-2023-2316 - OpenCVE

Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Linux	Linux Kernel
Microsoft	Windows
Typora	Typora

Configuration 1 [-]

AND

cpe:2.3:a:typora:typora:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

References

Link	Resource
https://starlabs.sg/advisories/23/23-2316/	Exploit Mitigation Third Party Advisory
https://support.typora.io/What's-New-1.6/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: STAR_Labs

Published: 2023-08-19T05:34:20.390Z

Updated: 2023-08-19T05:34:20.390Z

Reserved: 2023-04-27T04:51:09.913Z

Link: CVE-2023-2316

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-08-19T06:15:46.420

Modified: 2023-08-24T18:56:26.503

Link: CVE-2023-2316

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-2316", "assignerOrgId": "b1571b85-cbc9-431f-830b-0c8155323a69", "state": "PUBLISHED", "assignerShortName": "STAR_Labs", "dateReserved": "2023-04-27T04:51:09.913Z", "datePublished": "2023-08-19T05:34:20.390Z", "dateUpdated": "2023-08-19T05:34:20.390Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux"], "product": "Typora", "vendor": "Typora", "versions": [{"lessThan": "1.6.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Li Jiantao (@CurseRed) of STAR Labs SG Pte. Ltd. (@starlabs_sg)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via \"typora://app/<absolute-path>\". \n\n<div><div>This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.</div></div>\n\n"}], "value": "Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via \"typora://app/<absolute-path>\". \n\nThis vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-597", "descriptions": [{"lang": "en", "value": "CAPEC-597 Absolute Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b1571b85-cbc9-431f-830b-0c8155323a69", "shortName": "STAR_Labs", "dateUpdated": "2023-08-19T05:34:20.390Z"}, "references": [{"tags": ["release-notes"], "url": "https://support.typora.io/What's-New-1.6/"}, {"tags": ["third-party-advisory"], "url": "https://starlabs.sg/advisories/23/23-2316/"}], "source": {"discovery": "UNKNOWN"}, "title": "Typora Local File Disclosure", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typora:typora:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A864E61-1493-40D3-9EFB-A8124F2FE28E", "versionEndExcluding": "1.6.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via \"typora://app/<absolute-path>\". \n\nThis vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.\n\n\n\n\n\n"}], "id": "CVE-2023-2316", "lastModified": "2023-08-24T18:56:26.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "info@starlabs.sg", "type": "Secondary"}]}, "published": "2023-08-19T06:15:46.420", "references": [{"source": "info@starlabs.sg", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://starlabs.sg/advisories/23/23-2316/"}, {"source": "info@starlabs.sg", "tags": ["Vendor Advisory"], "url": "https://support.typora.io/What's-New-1.6/"}], "sourceIdentifier": "info@starlabs.sg", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "info@starlabs.sg", "type": "Secondary"}]}