{"id":"RUSTSEC-2020-0030","summary":"Missing sanitization in mozwire allows local file overwrite of files ending in .conf","details":"The client software downloaded a list of servers from mozilla's servers and created local files named\nafter the hostname field in the json document.\n\nNo verification of the content of the string was made, and it could therefore have included '../' leading to path traversal.\n\nThis allows an attacker in control of mozilla's servers to overwrite/create local files named .conf.\n\nThe flaw was corrected by sanitizing the hostname field.","aliases":["CVE-2020-35883","GHSA-4vhw-4rw7-jfpv"],"modified":"2023-11-08T04:03:37.376395Z","published":"2020-08-18T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/mozwire"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2020-0030.html"},{"type":"REPORT","url":"https://github.com/NilsIrl/MozWire/issues/14"}],"affected":[{"package":{"name":"mozwire","ecosystem":"crates.io","purl":"pkg:cargo/mozwire"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.4.2-0"}]}],"ecosystem_specific":{"affects":{"functions":[],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","categories":[],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0030.json","informational":null}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}