CVE-2023-49793
Description
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`. The attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | codechecker | <6.23.0 | 6.23.0 |
| PyPI | codechecker | <46bada41e32f3ba0f6011d5c556b579f6dddf07a||<6.23.0 | 46bada41e32f3ba0f6011d5c556b579f6dddf07a |
References
- https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf
- https://nvd.nist.gov/vuln/detail/CVE-2023-49793
- https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a
- https://github.com/Ericsson/codechecker
- https://github.com/pypa/advisory-database/tree/main/vulns/codechecker/PYSEC-2024-54.yaml
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.