Download of Code Without Integrity Check

CVE-2021-41714

High

7.7/10

Summary

In Tipask < 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-494 - Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References

Advisory Timeline

Published May 23, 2022

Download of Code Without Integrity Check

CVE-2021-41714

Summary

CWE-494 - Download of Code Without Integrity Check

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS