{"id":"CVE-2017-6199","details":"A remote attacker could bypass the Sandstorm organization restriction before build 0.203 via a comma in an email-address field.","modified":"2026-04-10T04:01:51.186658Z","published":"2018-02-06T16:29:00.730Z","references":[{"type":"ADVISORY","url":"https://sandstorm.io/news/2017-03-02-security-review"},{"type":"ADVISORY","url":"https://github.com/sandstorm-io/sandstorm/blob/v0.202/shell/packages/sandstorm-db/db.js#L1112"},{"type":"FIX","url":"https://github.com/sandstorm-io/sandstorm/commit/37bd9a7f4eb776cdc2d3615f0bfea1254b66f59d"},{"type":"EVIDENCE","url":"https://devco.re/blog/2018/01/26/Sandstorm-Security-Review-CVE-2017-6200-en/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sandstorm-io/sandstorm","events":[{"introduced":"0"},{"fixed":"de824e86b13e1acc2129b80911520de6068ba2ea"},{"fixed":"37bd9a7f4eb776cdc2d3615f0bfea1254b66f59d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.203"}]}}],"versions":["v0.101","v0.102","v0.103","v0.104","v0.105","v0.106","v0.107","v0.108","v0.109","v0.11","v0.110","v0.111","v0.112","v0.113","v0.114","v0.115","v0.116","v0.117","v0.119","v0.12","v0.120","v0.121","v0.122","v0.126","v0.127","v0.128","v0.129","v0.13","v0.130","v0.131","v0.132","v0.133","v0.134","v0.135","v0.136","v0.137","v0.138","v0.139","v0.14","v0.140","v0.141","v0.142","v0.143","v0.144","v0.145","v0.146","v0.147","v0.148","v0.149","v0.15","v0.150","v0.151","v0.152","v0.154","v0.155","v0.156","v0.157","v0.158","v0.159","v0.16","v0.160","v0.161","v0.162","v0.163","v0.164","v0.165","v0.166","v0.167","v0.168","v0.169","v0.170","v0.171","v0.172","v0.173","v0.174","v0.175","v0.176","v0.177","v0.178","v0.179","v0.18","v0.180","v0.181","v0.182","v0.183","v0.184","v0.185","v0.186","v0.187","v0.188","v0.189","v0.19","v0.190","v0.191","v0.192","v0.193","v0.194","v0.195","v0.196","v0.197","v0.198","v0.199","v0.20","v0.200","v0.201","v0.202","v0.21","v0.22","v0.23","v0.24","v0.25","v0.26","v0.27","v0.28","v0.29","v0.30","v0.31","v0.32","v0.33","v0.35","v0.36","v0.37","v0.38","v0.39","v0.40","v0.41","v0.42","v0.46","v0.47","v0.48","v0.49","v0.5","v0.50","v0.51","v0.52","v0.53","v0.54","v0.55","v0.56","v0.57","v0.58","v0.59","v0.6","v0.60","v0.61","v0.62","v0.63","v0.64","v0.65","v0.66","v0.67","v0.68","v0.69","v0.7","v0.70","v0.71","v0.72","v0.73","v0.74","v0.75","v0.76","v0.77","v0.78","v0.79","v0.8","v0.80","v0.81","v0.82","v0.83","v0.84","v0.85","v0.86","v0.87","v0.88","v0.89","v0.90","v0.91","v0.92","v0.93","v0.94","v0.95","v0.96","v0.97","v0.98","v0.99"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6199.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}