HIGH🇬🇧 English

CVE-2026-42275

CVSS 8.7v3.1pub. 2026-05-08

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Netfoundry Zrok

    APP
    Netfoundry
    < 2.0.2
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path Traversal
CWE
Referencje

Powiązane podatności

CVE-2026-40303HIGH7.5ten sam produkt

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.Get...

CVE-2026-40302MEDIUM6.1ten sam produkt

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi t...

CVE-2026-40304MEDIUM5.3ten sam produkt

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess ...

CVE-2026-42275 — HIGH 8.7 | CVEbaza.pl