| 제목 | FedML-AI FedML <=0.8.9 Path Traversal |
|---|
| 설명 | A path traversal vulnerability (CWE-22) exists in the Android client of FedML. The client processes MQTT messages as task instructions and uses the dataSet parameter to construct filesystem paths without validation.
An attacker who can publish or tamper with MQTT messages can supply crafted path traversal payloads (e.g., ../../../../) to cause the client to access and enumerate arbitrary directories within the app’s accessible filesystem. |
|---|
| 원천 | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/25 |
|---|
| 사용자 | Ana10gy (UID 93358) |
|---|
| 제출 | 2026. 03. 18. AM 09:40 (20 날 ago) |
|---|
| 모더레이션 | 2026. 04. 04. AM 08:40 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 355288 [FedML-AI FedML 까지 0.8.9 MQTT Message FileUtils.java dataSet 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|