• Status Closed
  • Percent Complete
  • Task Type Security Issue
  • Category Any
  • Assigned To
  • Operating System All
  • Severity Critical
  • Priority Very High
  • Reported Version Any
  • Due in Version Starfix
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Packages
Opened by bugmen0t - 26/07/2018
Last edited by Emulatorman - 29/08/2018

FS#1109 - [znc] CVE-2018-14055: privilege escalation & CVE-2018-14056: path traversal

Severity: high

Versions affected:
1.6.0 through 1.7.0
Potentially, all earlier versions too, but there is no known way to
trigger this before 1.6.0

upgrade to 1.7.1

ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming
from the network, allowing a non-admin user to escalate privilege,
inject rogue values into znc.conf, and gain shell access.

Upstream patches:

Severity: medium

Versions affected:
0.045 through 1.7.0

upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg
*status DelPort` commands.

ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user
can set web skin name to ../ to access files outside of the intended
skins directories and to cause DoS.

Upstream patch:

Closed by  Emulatorman
29.08.2018 01:25
Reason for closing:  Fixed

Sorry this should be "security issue" but I cannot edit it.

Date User Effort (H:M)
watch my effort tracking timers


Available keyboard shortcuts


Task Details

Task Editing