CVE-2023-41057 - OpenCVE

Vendors	Products
Plannigan	Hyper Bump It

Link	Resource
https://github.com/plannigan/hyper-bump-it/pull/307	Patch
https://github.com/plannigan/hyper-bump-it/security/advisories/GHSA-xc27-f9q3-4448	Exploit Patch Vendor Advisory

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-41057", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-22T16:57:23.934Z", "datePublished": "2023-09-04T17:19:28.702Z", "dateUpdated": "2023-09-04T17:19:28.702Z"}, "containers": {"cna": {"title": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in hyper-bump-it", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/plannigan/hyper-bump-it/security/advisories/GHSA-xc27-f9q3-4448", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/plannigan/hyper-bump-it/security/advisories/GHSA-xc27-f9q3-4448"}, {"name": "https://github.com/plannigan/hyper-bump-it/pull/307", "tags": ["x_refsource_MISC"], "url": "https://github.com/plannigan/hyper-bump-it/pull/307"}], "affected": [{"vendor": "plannigan", "product": "hyper-bump-it", "versions": [{"version": "< 0.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-04T17:19:28.702Z"}, "descriptions": [{"lang": "en", "value": "hyper-bump-it is a command line tool for updating the version in project files.`hyper-bump-it` reads a file glob pattern from the configuration file. That is combined with the project root directory to construct a full glob pattern that is used to find files that should be edited. These matched files should be contained within the project root directory, but that is not checked. This could result in changes being written to files outside of the project. The default behaviour of `hyper-bump-it` is to display the planned changes and prompt the user for confirmation before editing any files. However, the configuration file provides a field that can be used cause files to be edited without displaying the prompt. This issue has been fixed in release version 0.5.1. Users are advised to upgrade. Users that are unable to update from vulnerable versions, executing `hyper-bump-it` with the `--interactive` command line argument will ensure that all planned changes are displayed and prompt the user for confirmation before editing any files, even if the configuration file contains `show_confirm_prompt=true`.\n"}], "source": {"advisory": "GHSA-xc27-f9q3-4448", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plannigan:hyper_bump_it:*:*:*:*:*:python:*:*", "matchCriteriaId": "69EA70AA-6E78-4DAD-9706-0DB5159CFA90", "versionEndExcluding": "0.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "hyper-bump-it is a command line tool for updating the version in project files.`hyper-bump-it` reads a file glob pattern from the configuration file. That is combined with the project root directory to construct a full glob pattern that is used to find files that should be edited. These matched files should be contained within the project root directory, but that is not checked. This could result in changes being written to files outside of the project. The default behaviour of `hyper-bump-it` is to display the planned changes and prompt the user for confirmation before editing any files. However, the configuration file provides a field that can be used cause files to be edited without displaying the prompt. This issue has been fixed in release version 0.5.1. Users are advised to upgrade. Users that are unable to update from vulnerable versions, executing `hyper-bump-it` with the `--interactive` command line argument will ensure that all planned changes are displayed and prompt the user for confirmation before editing any files, even if the configuration file contains `show_confirm_prompt=true`.\n"}, {"lang": "es", "value": "hyper-bump-it es una herramienta de l\u00ednea de comandos para actualizar la versi\u00f3n de los archivos del proyecto. Hyper-bump-it lee un patr\u00f3n glob del archivo de configuraci\u00f3n. Esto se combina con el directorio ra\u00edz del proyecto para construir un patr\u00f3n glob completo que se utiliza para encontrar los archivos que deben ser editados. Estos archivos deben estar dentro del directorio ra\u00edz del proyecto, pero esto no se comprueba. Esto podr\u00eda provocar que los cambios se escribieran en ficheros fuera del proyecto. El comportamiento por defecto de hyper-bump-it es mostrar los cambios planeados y pedir confirmaci\u00f3n al usuario antes de editar cualquier fichero. Sin embargo, el fichero de configuraci\u00f3n proporciona un campo que puede utilizarse para editar ficheros sin que aparezca la pregunta. Este problema se ha solucionado en la versi\u00f3n 0.5.1. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar desde versiones vulnerables, ejecutando hyper-bump-it con el argumento de l\u00ednea de comandos \"--interactive\" se asegurar\u00e1n de que se muestren todos los cambios planificados y pedir\u00e1n confirmaci\u00f3n al usuario antes de editar cualquier archivo, incluso si el archivo de configuraci\u00f3n contiene \"show_confirm_prompt=true\". "}], "id": "CVE-2023-41057", "lastModified": "2023-09-08T17:22:48.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-04T18:15:09.397", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/plannigan/hyper-bump-it/pull/307"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/plannigan/hyper-bump-it/security/advisories/GHSA-xc27-f9q3-4448"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

JSON object

JSON object

JSON object