Privilege Escalation Affecting github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel package, versions <2020.8.1


0.0
high
  • Attack Complexity

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMCLOUDFLARECLOUDFLAREDCMDCLOUDFLAREDTUNNEL-1296549

  • published

    25 May 2021

  • disclosed

    24 May 2021

  • credit

    AgentBTZ

How to fix?

Upgrade github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel to version 2020.8.1 or higher.

Overview

github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel is an Argo Tunnel client.

Affected versions of this package are vulnerable to Privilege Escalation. On Windows, if an administrator has set cloudflared to read configuration files from a certain directory, an unprivileged user can exploit a misconfiguration in order to escalate privileges and execute system-level commands. The misconfiguration is due to the way that cloudflared reads its configuration file. One of the locations that cloudflared reads from (C:\etc\) is not a secure by default directory due to the fact that Windows does not enforce access controls on this directory without further controls applied. A malformed config.yaml file can be written by any user.

References