bbot@2.8.3.7550rc0

OSINT automation for hackers.

  • latest version

    2.8.6

  • latest non vulnerable version

  • first published

    3 years ago

  • latest version published

    18 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the bbot package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Symlink Attack

    bbot is an OSINT automation for hackers.

    Affected versions of this package are vulnerable to Symlink Attack via the github_workflows process. An attacker can cause files to be written to arbitrary locations by planting a symlink at a predictable output path.

    How to fix Symlink Attack?

    Upgrade bbot to version 2.8.5 or higher.

    [2.0.0,2.8.5)
    • M
    UNIX Symbolic Link (Symlink) Following

    bbot is an OSINT automation for hackers.

    Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via the unarchive process. An attacker can overwrite arbitrary files outside the intended extraction directory by submitting a specially crafted archive containing directory traversal sequences. This is only exploitable if the system is using GNU tar versions earlier than 1.34.

    How to fix UNIX Symbolic Link (Symlink) Following?

    Upgrade bbot to version 2.8.5 or higher.

    [2.3.1,2.8.5)
    • H
    Out-of-bounds Read

    bbot is an OSINT automation for hackers.

    Affected versions of this package are vulnerable to Out-of-bounds Read via the postman_download process. An attacker can write arbitrary files to the user's system by supplying a crafted workspace name containing path traversal characters.

    How to fix Out-of-bounds Read?

    Upgrade bbot to version 2.8.6 or higher.

    [2.1.0,2.8.6)
    • L
    Server-side Request Forgery (SSRF)

    bbot is an OSINT automation for hackers.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the docker_pull process when the realm parameter from a Docker registry's WWW-Authenticate response header is used as the authentication endpoint without validation. An attacker can cause authentication requests to be redirected to arbitrary endpoints and potentially leak authentication tokens by modifying the response header in a man-in-the-middle position.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade bbot to version 2.8.5 or higher.

    [2.0.0,2.8.5)