जमा करें #852880: Sipeed PicoClaw <= 0.2.9 Information Disclosure (CWE-200)जानकारी

शीर्षकSipeed PicoClaw <= 0.2.9 Information Disclosure (CWE-200)
विवरण# Technical Details An information disclosure vulnerability exists in the `exec` command safety guard in `pkg/tools/shell.go` of PicoClaw. The application fails to apply deny-pattern inspection after a command matches `custom_allow_patterns`. A command matching an allow rule such as `^jq\b` is treated as fully exempt from deny checks, allowing jq programs using `$ENV` or `env` to read process environment variables. # Vulnerable Code File: `pkg/tools/shell.go` Method: `guardCommand` Why: Sets `explicitlyAllowed = true` when a custom allow regex matches, then skips the deny-pattern loop entirely for that command line. # Reproduction 1. Configure `custom_allow_patterns` to allow jq, for example `^jq\b`. 2. Configure deny patterns intended to block jq environment access, such as `$env` or `env`. 3. Invoke the `exec` tool with a jq payload that reads environment variables, such as `jq -n '$ENV'`. 4. Observe that the command is executed instead of being blocked and process environment data is disclosed. # Impact - Exposes runtime secrets stored in environment variables. - May disclose API keys, provider credentials, proxy secrets, cloud credentials, and tokens. - Defeats operator expectations that deny patterns remain enforced for allowlisted binaries.
स्रोत⚠️ https://github.com/sipeed/picoclaw/issues/3079
उपयोगकर्ता Eric-d (UID 96861)
सबमिशन09/06/2026 12:16 PM (1 महीना पहले)
संयम09/07/2026 08:07 PM (1 month later)
स्थितिप्रतिलिपि
VulDB प्रविष्टि366374 [PicoClaw तक 0.1.2 ExecTool pkg/tools/shell.go guardCommand अधिकार वृद्धि]
अंक0

Do you want to use VulDB in your project?

Use the official API to access entries easily!