{"id":"PYSEC-2024-41","details":"diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.","aliases":["CVE-2024-25711","GHSA-33w6-hvmq-gh4x"],"modified":"2024-02-27T22:11:51.159563Z","published":"2024-02-27T02:15:00Z","references":[{"type":"WEB","url":"https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361"},{"type":"WEB","url":"https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/dfed769904c27d66a14a5903823d9c8c5aae860e"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUNBANAWD6TZH2NRRV4YUIAXEHLUJQ47/"}],"affected":[{"package":{"name":"diffoscope","ecosystem":"PyPI","purl":"pkg:pypi/diffoscope"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"256"}]}],"versions":["100","101","102","103","104","105","106","107","108","110","111","112","113","114","115","116","117","118","119","120","121","122","123","124","125","126","127","128","129","130","131","132","133","134","135","136","137","138","139","140","141","142","143","144","145","146","147","148","149","150","151","152","153","154","155","156","157","158","159","160","161","162","163","164","165","166","167","168","169","170","171","172","173","174","175","176","177","178","179","180","181","182","183","184","185","186","187","188","189","190","191","192","193","194","195","196","197","198","199","200","201","202","203","204","205","206","207","208","209","210","211","212","213","214","215","216","217","218","219","220","221","222","223","224","226","227","228","229","230","231","232","233","234","235","236","237","238","239","240","241","242","243","244","245","246","247","248","249","250","251","252","253","254","255","39","40","41","42","43","44","45","46","47","48","49","51","52","54","55","56","59","60","61","62","63","64","65","66","67","68","69","70","71","72","73","74","75","76","77","78","79","80","81","82","83","84","85","86","87","88","89","90","91","92","93","94","95","96","97","98","99"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/diffoscope/PYSEC-2024-41.yaml"}}],"schema_version":"1.7.3"}