codechecker@6.17.0 vulnerabilities

codechecker is an analyzer tooling, defect database and viewer extension

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the form of giving the unremovable auto-generated root user superuser privileges by default. An attacker in possession of this username can control everything that can be controlled via the web interface, and can create an account on an enabled external service.

Upgrade codechecker to version 6.24.2 or higher.

codechecker is an analyzer tooling, defect database and viewer extension

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to improperly parsing the endpoint path, which allows bypassing authentication on all but the /Authentication endpoint. An attacker can gain superuser access to these endpoints to query, add, edit, and delete products.

Upgrade codechecker to version 6.24.2 or higher.

codechecker is an analyzer tooling, defect database and viewer extension

Affected versions of this package are vulnerable to Directory Traversal due to improperly sanitized ZIP files, that are uploaded to the server-side endpoint handling a CodeChecker store. An attacker can make the CodeChecker server load and display files from an arbitrary location on the server machine.

Note: If the CodeChecker server is run with authentication enabled (not the default configuration), then the attack requires a valid user account on the CodeChecker server, with the permission to store to a database and view the stored reports.

Upgrade codechecker to version 6.23.0 or higher.

codechecker is an analyzer tooling, defect database and viewer extension

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.

Upgrade codechecker to version 6.18.2 or higher.