GSD-2024-30265

Vulnerability from gsd - Updated: 2024-04-03 05:02
Details
Collabora Online is a collaborative online office suite based on LibreOffice technology. Any deployment of voilà dashboard allow local file inclusion. Any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voilà is deployed. This issue has been patched in 0.2.17, 0.3.8, 0.4.4 and 0.5.6.
Aliases
To clipboard 

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-30265"
      ],
      "details": "Collabora Online is a collaborative online office suite based on LibreOffice technology. Any deployment of voil\u00e0 dashboard allow local file inclusion. Any file on a filesystem that is readable by the user that runs the voil\u00e0 dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voil\u00e0 is deployed. This issue has been patched in 0.2.17, 0.3.8, 0.4.4 and 0.5.6.\n",
      "id": "GSD-2024-30265",
      "modified": "2024-04-03T05:02:29.115652Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-30265",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "voila",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.0.2, \u003c 0.2.17"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.3.0a0, \u003c 0.3.8"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.4.0a0, \u003c 0.4.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.5.0a0, \u003c 0.5.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "voila-dashboards"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Collabora Online is a collaborative online office suite based on LibreOffice technology. Any deployment of voil\u00e0 dashboard allow local file inclusion. Any file on a filesystem that is readable by the user that runs the voil\u00e0 dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voil\u00e0 is deployed. This issue has been patched in 0.2.17, 0.3.8, 0.4.4 and 0.5.6.\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-73",
                "lang": "eng",
                "value": "CWE-73: External Control of File Name or Path"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/voila-dashboards/voila/security/advisories/GHSA-2q59-h24c-w6fg",
            "refsource": "MISC",
            "url": "https://github.com/voila-dashboards/voila/security/advisories/GHSA-2q59-h24c-w6fg"
          },
          {
            "name": "https://github.com/voila-dashboards/voila/commit/00d6362c237b6b4d466873535554d6076ead0c52",
            "refsource": "MISC",
            "url": "https://github.com/voila-dashboards/voila/commit/00d6362c237b6b4d466873535554d6076ead0c52"
          },
          {
            "name": "https://github.com/voila-dashboards/voila/commit/28faacc9b03b160fd8fa920ad045f4ec0667ab67",
            "refsource": "MISC",
            "url": "https://github.com/voila-dashboards/voila/commit/28faacc9b03b160fd8fa920ad045f4ec0667ab67"
          },
          {
            "name": "https://github.com/voila-dashboards/voila/commit/5542e4ae36bb5d184deaa48f95e76be477756af2",
            "refsource": "MISC",
            "url": "https://github.com/voila-dashboards/voila/commit/5542e4ae36bb5d184deaa48f95e76be477756af2"
          },
          {
            "name": "https://github.com/voila-dashboards/voila/commit/98b6a40fec27723572314fdbba99bdc147d904c8",
            "refsource": "MISC",
            "url": "https://github.com/voila-dashboards/voila/commit/98b6a40fec27723572314fdbba99bdc147d904c8"
          },
          {
            "name": "https://github.com/voila-dashboards/voila/commit/c045be6988539d07cceeb9f82fc660a49485d504",
            "refsource": "MISC",
            "url": "https://github.com/voila-dashboards/voila/commit/c045be6988539d07cceeb9f82fc660a49485d504"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2q59-h24c-w6fg",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Collabora Online is a collaborative online office suite based on LibreOffice technology. Any deployment of voil\u00e0 dashboard allow local file inclusion. Any file on a filesystem that is readable by the user that runs the voil\u00e0 dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voil\u00e0 is deployed. This issue has been patched in 0.2.17, 0.3.8, 0.4.4 and 0.5.6.\n"
          },
          {
            "lang": "es",
            "value": "Collabora Online es una suite ofim\u00e1tica colaborativa en l\u00ednea basada en la tecnolog\u00eda LibreOffice. Cualquier implementaci\u00f3n del panel voil\u00e0 permite la inclusi\u00f3n de archivos locales. Cualquier archivo en un sistema de archivos que sea legible por el usuario que ejecuta el servidor del panel voil\u00e0 puede ser descargado por alguien con acceso de red al servidor. Si esto todav\u00eda requiere autenticaci\u00f3n depende de c\u00f3mo se implemente voil\u00e0. Este problema se solucion\u00f3 en 0.2.17, 0.3.8, 0.4.4 y 0.5.6."
          }
        ],
        "id": "CVE-2024-30265",
        "lastModified": "2024-04-04T12:48:41.700",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-03T23:15:13.423",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/voila-dashboards/voila/commit/00d6362c237b6b4d466873535554d6076ead0c52"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/voila-dashboards/voila/commit/28faacc9b03b160fd8fa920ad045f4ec0667ab67"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/voila-dashboards/voila/commit/5542e4ae36bb5d184deaa48f95e76be477756af2"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/voila-dashboards/voila/commit/98b6a40fec27723572314fdbba99bdc147d904c8"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/voila-dashboards/voila/commit/c045be6988539d07cceeb9f82fc660a49485d504"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/voila-dashboards/voila/security/advisories/GHSA-2q59-h24c-w6fg"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-73"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.