Vulnerability Details CVE-2017-6200
Sandstorm before build 0.203 allows remote attackers to read any specified file under /etc or /run via the sandbox backup function. The root cause is that the findFilesToZip function doesn't filter Line Feed (\n) characters in a directory name.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 63.0%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
- https://devco.re/blog/2018/01/26/Sandstorm-Security-Review-CVE-2017-6200-en/
- https://github.com/sandstorm-io/sandstorm/blob/v0.202/src/sandstorm/backup.c%2B%2B#L271
- https://github.com/sandstorm-io/sandstorm/commit/4ea8df7403381d9b657b121b3c98d8081b27414d
- https://github.com/sandstorm-io/sandstorm/commit/6e8572ea8bb56d0216bb1b410e5040edc051b120
- https://sandstorm.io/news/2017-03-02-security-review
- https://devco.re/blog/2018/01/26/Sandstorm-Security-Review-CVE-2017-6200-en/
- https://github.com/sandstorm-io/sandstorm/blob/v0.202/src/sandstorm/backup.c%2B%2B#L271
- https://github.com/sandstorm-io/sandstorm/commit/4ea8df7403381d9b657b121b3c98d8081b27414d
- https://github.com/sandstorm-io/sandstorm/commit/6e8572ea8bb56d0216bb1b410e5040edc051b120
- https://sandstorm.io/news/2017-03-02-security-review
Products affected by CVE-2017-6200
-
cpe:2.3:a:sandstorm:sandstorm:0.10
-
cpe:2.3:a:sandstorm:sandstorm:0.100
-
cpe:2.3:a:sandstorm:sandstorm:0.101
-
cpe:2.3:a:sandstorm:sandstorm:0.102
-
cpe:2.3:a:sandstorm:sandstorm:0.103
-
cpe:2.3:a:sandstorm:sandstorm:0.104
-
cpe:2.3:a:sandstorm:sandstorm:0.105
-
cpe:2.3:a:sandstorm:sandstorm:0.106
-
cpe:2.3:a:sandstorm:sandstorm:0.107
-
cpe:2.3:a:sandstorm:sandstorm:0.108
-
cpe:2.3:a:sandstorm:sandstorm:0.109
-
cpe:2.3:a:sandstorm:sandstorm:0.11
-
cpe:2.3:a:sandstorm:sandstorm:0.110
-
cpe:2.3:a:sandstorm:sandstorm:0.111
-
cpe:2.3:a:sandstorm:sandstorm:0.112
-
cpe:2.3:a:sandstorm:sandstorm:0.113
-
cpe:2.3:a:sandstorm:sandstorm:0.114
-
cpe:2.3:a:sandstorm:sandstorm:0.115
-
cpe:2.3:a:sandstorm:sandstorm:0.116
-
cpe:2.3:a:sandstorm:sandstorm:0.117
-
cpe:2.3:a:sandstorm:sandstorm:0.118
-
cpe:2.3:a:sandstorm:sandstorm:0.119
-
cpe:2.3:a:sandstorm:sandstorm:0.12
-
cpe:2.3:a:sandstorm:sandstorm:0.120
-
cpe:2.3:a:sandstorm:sandstorm:0.121
-
cpe:2.3:a:sandstorm:sandstorm:0.122
-
cpe:2.3:a:sandstorm:sandstorm:0.123
-
cpe:2.3:a:sandstorm:sandstorm:0.124
-
cpe:2.3:a:sandstorm:sandstorm:0.125
-
cpe:2.3:a:sandstorm:sandstorm:0.126
-
cpe:2.3:a:sandstorm:sandstorm:0.127
-
cpe:2.3:a:sandstorm:sandstorm:0.128
-
cpe:2.3:a:sandstorm:sandstorm:0.129
-
cpe:2.3:a:sandstorm:sandstorm:0.13
-
cpe:2.3:a:sandstorm:sandstorm:0.130
-
cpe:2.3:a:sandstorm:sandstorm:0.131
-
cpe:2.3:a:sandstorm:sandstorm:0.132
-
cpe:2.3:a:sandstorm:sandstorm:0.133
-
cpe:2.3:a:sandstorm:sandstorm:0.134
-
cpe:2.3:a:sandstorm:sandstorm:0.135
-
cpe:2.3:a:sandstorm:sandstorm:0.136
-
cpe:2.3:a:sandstorm:sandstorm:0.137
-
cpe:2.3:a:sandstorm:sandstorm:0.138
-
cpe:2.3:a:sandstorm:sandstorm:0.139
-
cpe:2.3:a:sandstorm:sandstorm:0.14
-
cpe:2.3:a:sandstorm:sandstorm:0.140
-
cpe:2.3:a:sandstorm:sandstorm:0.141
-
cpe:2.3:a:sandstorm:sandstorm:0.142
-
cpe:2.3:a:sandstorm:sandstorm:0.143
-
cpe:2.3:a:sandstorm:sandstorm:0.144
-
cpe:2.3:a:sandstorm:sandstorm:0.145
-
cpe:2.3:a:sandstorm:sandstorm:0.146
-
cpe:2.3:a:sandstorm:sandstorm:0.147
-
cpe:2.3:a:sandstorm:sandstorm:0.148
-
cpe:2.3:a:sandstorm:sandstorm:0.149
-
cpe:2.3:a:sandstorm:sandstorm:0.15
-
cpe:2.3:a:sandstorm:sandstorm:0.150
-
cpe:2.3:a:sandstorm:sandstorm:0.151
-
cpe:2.3:a:sandstorm:sandstorm:0.152
-
cpe:2.3:a:sandstorm:sandstorm:0.153
-
cpe:2.3:a:sandstorm:sandstorm:0.154
-
cpe:2.3:a:sandstorm:sandstorm:0.155
-
cpe:2.3:a:sandstorm:sandstorm:0.156
-
cpe:2.3:a:sandstorm:sandstorm:0.157
-
cpe:2.3:a:sandstorm:sandstorm:0.158
-
cpe:2.3:a:sandstorm:sandstorm:0.159
-
cpe:2.3:a:sandstorm:sandstorm:0.16
-
cpe:2.3:a:sandstorm:sandstorm:0.160
-
cpe:2.3:a:sandstorm:sandstorm:0.161
-
cpe:2.3:a:sandstorm:sandstorm:0.162
-
cpe:2.3:a:sandstorm:sandstorm:0.163
-
cpe:2.3:a:sandstorm:sandstorm:0.164
-
cpe:2.3:a:sandstorm:sandstorm:0.165
-
cpe:2.3:a:sandstorm:sandstorm:0.166
-
cpe:2.3:a:sandstorm:sandstorm:0.167
-
cpe:2.3:a:sandstorm:sandstorm:0.168
-
cpe:2.3:a:sandstorm:sandstorm:0.169
-
cpe:2.3:a:sandstorm:sandstorm:0.17
-
cpe:2.3:a:sandstorm:sandstorm:0.170
-
cpe:2.3:a:sandstorm:sandstorm:0.171
-
cpe:2.3:a:sandstorm:sandstorm:0.172
-
cpe:2.3:a:sandstorm:sandstorm:0.173
-
cpe:2.3:a:sandstorm:sandstorm:0.174
-
cpe:2.3:a:sandstorm:sandstorm:0.175
-
cpe:2.3:a:sandstorm:sandstorm:0.176
-
cpe:2.3:a:sandstorm:sandstorm:0.177
-
cpe:2.3:a:sandstorm:sandstorm:0.178
-
cpe:2.3:a:sandstorm:sandstorm:0.179
-
cpe:2.3:a:sandstorm:sandstorm:0.18
-
cpe:2.3:a:sandstorm:sandstorm:0.180
-
cpe:2.3:a:sandstorm:sandstorm:0.181
-
cpe:2.3:a:sandstorm:sandstorm:0.182
-
cpe:2.3:a:sandstorm:sandstorm:0.183
-
cpe:2.3:a:sandstorm:sandstorm:0.184
-
cpe:2.3:a:sandstorm:sandstorm:0.185
-
cpe:2.3:a:sandstorm:sandstorm:0.186
-
cpe:2.3:a:sandstorm:sandstorm:0.187
-
cpe:2.3:a:sandstorm:sandstorm:0.188
-
cpe:2.3:a:sandstorm:sandstorm:0.189
-
cpe:2.3:a:sandstorm:sandstorm:0.19
-
cpe:2.3:a:sandstorm:sandstorm:0.190
-
cpe:2.3:a:sandstorm:sandstorm:0.191
-
cpe:2.3:a:sandstorm:sandstorm:0.192
-
cpe:2.3:a:sandstorm:sandstorm:0.193
-
cpe:2.3:a:sandstorm:sandstorm:0.194
-
cpe:2.3:a:sandstorm:sandstorm:0.195
-
cpe:2.3:a:sandstorm:sandstorm:0.196
-
cpe:2.3:a:sandstorm:sandstorm:0.197
-
cpe:2.3:a:sandstorm:sandstorm:0.198
-
cpe:2.3:a:sandstorm:sandstorm:0.199
-
cpe:2.3:a:sandstorm:sandstorm:0.20
-
cpe:2.3:a:sandstorm:sandstorm:0.200
-
cpe:2.3:a:sandstorm:sandstorm:0.201
-
cpe:2.3:a:sandstorm:sandstorm:0.202
-
cpe:2.3:a:sandstorm:sandstorm:0.21
-
cpe:2.3:a:sandstorm:sandstorm:0.22
-
cpe:2.3:a:sandstorm:sandstorm:0.23
-
cpe:2.3:a:sandstorm:sandstorm:0.24
-
cpe:2.3:a:sandstorm:sandstorm:0.25
-
cpe:2.3:a:sandstorm:sandstorm:0.26
-
cpe:2.3:a:sandstorm:sandstorm:0.27
-
cpe:2.3:a:sandstorm:sandstorm:0.28
-
cpe:2.3:a:sandstorm:sandstorm:0.29
-
cpe:2.3:a:sandstorm:sandstorm:0.30
-
cpe:2.3:a:sandstorm:sandstorm:0.31
-
cpe:2.3:a:sandstorm:sandstorm:0.32
-
cpe:2.3:a:sandstorm:sandstorm:0.33
-
cpe:2.3:a:sandstorm:sandstorm:0.34
-
cpe:2.3:a:sandstorm:sandstorm:0.35
-
cpe:2.3:a:sandstorm:sandstorm:0.36
-
cpe:2.3:a:sandstorm:sandstorm:0.37
-
cpe:2.3:a:sandstorm:sandstorm:0.38
-
cpe:2.3:a:sandstorm:sandstorm:0.39
-
cpe:2.3:a:sandstorm:sandstorm:0.40
-
cpe:2.3:a:sandstorm:sandstorm:0.41
-
cpe:2.3:a:sandstorm:sandstorm:0.42
-
cpe:2.3:a:sandstorm:sandstorm:0.43
-
cpe:2.3:a:sandstorm:sandstorm:0.44
-
cpe:2.3:a:sandstorm:sandstorm:0.45
-
cpe:2.3:a:sandstorm:sandstorm:0.46
-
cpe:2.3:a:sandstorm:sandstorm:0.47
-
cpe:2.3:a:sandstorm:sandstorm:0.48
-
cpe:2.3:a:sandstorm:sandstorm:0.49
-
cpe:2.3:a:sandstorm:sandstorm:0.5
-
cpe:2.3:a:sandstorm:sandstorm:0.50
-
cpe:2.3:a:sandstorm:sandstorm:0.51
-
cpe:2.3:a:sandstorm:sandstorm:0.52
-
cpe:2.3:a:sandstorm:sandstorm:0.53
-
cpe:2.3:a:sandstorm:sandstorm:0.54
-
cpe:2.3:a:sandstorm:sandstorm:0.55
-
cpe:2.3:a:sandstorm:sandstorm:0.56
-
cpe:2.3:a:sandstorm:sandstorm:0.57
-
cpe:2.3:a:sandstorm:sandstorm:0.58
-
cpe:2.3:a:sandstorm:sandstorm:0.59
-
cpe:2.3:a:sandstorm:sandstorm:0.6
-
cpe:2.3:a:sandstorm:sandstorm:0.60
-
cpe:2.3:a:sandstorm:sandstorm:0.61
-
cpe:2.3:a:sandstorm:sandstorm:0.62
-
cpe:2.3:a:sandstorm:sandstorm:0.63
-
cpe:2.3:a:sandstorm:sandstorm:0.64
-
cpe:2.3:a:sandstorm:sandstorm:0.65
-
cpe:2.3:a:sandstorm:sandstorm:0.66
-
cpe:2.3:a:sandstorm:sandstorm:0.67
-
cpe:2.3:a:sandstorm:sandstorm:0.68
-
cpe:2.3:a:sandstorm:sandstorm:0.69
-
cpe:2.3:a:sandstorm:sandstorm:0.7
-
cpe:2.3:a:sandstorm:sandstorm:0.70
-
cpe:2.3:a:sandstorm:sandstorm:0.71
-
cpe:2.3:a:sandstorm:sandstorm:0.72
-
cpe:2.3:a:sandstorm:sandstorm:0.73
-
cpe:2.3:a:sandstorm:sandstorm:0.74
-
cpe:2.3:a:sandstorm:sandstorm:0.75
-
cpe:2.3:a:sandstorm:sandstorm:0.76
-
cpe:2.3:a:sandstorm:sandstorm:0.77
-
cpe:2.3:a:sandstorm:sandstorm:0.78
-
cpe:2.3:a:sandstorm:sandstorm:0.79
-
cpe:2.3:a:sandstorm:sandstorm:0.8
-
cpe:2.3:a:sandstorm:sandstorm:0.80
-
cpe:2.3:a:sandstorm:sandstorm:0.81
-
cpe:2.3:a:sandstorm:sandstorm:0.82
-
cpe:2.3:a:sandstorm:sandstorm:0.83
-
cpe:2.3:a:sandstorm:sandstorm:0.84
-
cpe:2.3:a:sandstorm:sandstorm:0.85
-
cpe:2.3:a:sandstorm:sandstorm:0.86
-
cpe:2.3:a:sandstorm:sandstorm:0.87
-
cpe:2.3:a:sandstorm:sandstorm:0.88
-
cpe:2.3:a:sandstorm:sandstorm:0.89
-
cpe:2.3:a:sandstorm:sandstorm:0.9
-
cpe:2.3:a:sandstorm:sandstorm:0.90
-
cpe:2.3:a:sandstorm:sandstorm:0.91
-
cpe:2.3:a:sandstorm:sandstorm:0.92
-
cpe:2.3:a:sandstorm:sandstorm:0.93
-
cpe:2.3:a:sandstorm:sandstorm:0.94
-
cpe:2.3:a:sandstorm:sandstorm:0.95
-
cpe:2.3:a:sandstorm:sandstorm:0.96
-
cpe:2.3:a:sandstorm:sandstorm:0.97
-
cpe:2.3:a:sandstorm:sandstorm:0.98
-
cpe:2.3:a:sandstorm:sandstorm:0.99