Arbitrary File Overwrite Affecting mozwire package, versions <0.5.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary File Overwrite vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-MOZWIRE-608075
  • published21 Aug 2020
  • disclosed18 Aug 2020
  • creditalexanderkjall

Introduced: 18 Aug 2020

CVE-2020-35883  (opens in a new tab)
CWE-23  (opens in a new tab)

How to fix?

Upgrade mozwire to version 0.5.0 or higher.

Overview

mozwire is an unofficial cross-platform client for MozillaVPN, finally giving Linux, macOS, FreeBSD, OpenBSD and others (all platforms supporting the WireGuard protocol) users access to this VPN provider.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. The client software downloads a list of servers from mozilla and creates local files named after the hostname field in the json document. No verification of the paths is made which can lead to a path traversal.

CVSS Scores

version 3.1