Symlink Attackbbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Symlink Attack in the unarchive process when extracting zip or 7z archives containing symlink entries with a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. An attacker can plant arbitrary symlinks in the extraction directory by providing a specially crafted archive. This is only exploitable if the host uses a legacy p7zip build that produces such archives; current mainline 7-Zip is not affected.
How to fix Symlink Attack? Upgrade bbot to version 3.0.0 or higher.
| |
Directory Traversalbbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Directory Traversal via the github_workflows process. An attacker can write files outside the intended output directory by supplying a crafted CODE_REPOSITORY URL containing directory traversal sequences. The write operation is limited to two directory levels above the output location, and the final target path is determined by the operator's configuration, not the attacker.
How to fix Directory Traversal? Upgrade bbot to version 3.0.0 or higher.
| |
Symlink Attackbbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Symlink Attack via the github_workflows process. An attacker can cause files to be written to arbitrary locations by planting a symlink at a predictable output path.
How to fix Symlink Attack? Upgrade bbot to version 2.8.5 or higher.
| |
UNIX Symbolic Link (Symlink) Followingbbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via the unarchive process. An attacker can overwrite arbitrary files outside the intended extraction directory by submitting a specially crafted archive containing directory traversal sequences. This is only exploitable if the system is using GNU tar versions earlier than 1.34.
How to fix UNIX Symbolic Link (Symlink) Following? Upgrade bbot to version 2.8.5 or higher.
| |
Out-of-bounds Readbbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Out-of-bounds Read via the postman_download process. An attacker can write arbitrary files to the user's system by supplying a crafted workspace name containing path traversal characters.
How to fix Out-of-bounds Read? Upgrade bbot to version 2.8.6 or higher.
| |
Server-side Request Forgery (SSRF)bbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the docker_pull process when the realm parameter from a Docker registry's WWW-Authenticate response header is used as the authentication endpoint without validation. An attacker can cause authentication requests to be redirected to arbitrary endpoints and potentially leak authentication tokens by modifying the response header in a man-in-the-middle position.
How to fix Server-side Request Forgery (SSRF)? Upgrade bbot to version 2.8.5 or higher.
| |
Information Exposurebbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Information Exposure via the gitlab process. An attacker can obtain sensitive API key information by tricking the system into connecting to a maliciously crafted git URL.
How to fix Information Exposure? Upgrade bbot to version 2.7.0 or higher.
| |
Information Exposurebbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Information Exposure via git_clone. An attacker can obtain sensitive information by tricking a user into cloning a repository using a specially crafted URL that causes the API key to be sent to an attacker-controlled server.
How to fix Information Exposure? Upgrade bbot to version 2.7.0 or higher.
| |
Directory Traversalbbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Directory Traversal via gitdumper. An attacker can execute arbitrary commands by crafting a malicious git repository.
How to fix Directory Traversal? Upgrade bbot to version 2.7.0 or higher.
| |
Directory Traversalbbot is an OSINT automation for hackers.
Affected versions of this package are vulnerable to Directory Traversal via unarchive.py. An attacker can execute arbitrary code by supplying a specially crafted archive file that, when extracted, writes files to arbitrary locations on the file system.
How to fix Directory Traversal? Upgrade bbot to version 2.7.0 or higher.
| |