Charm vulnerable to server-side request forgery (SSRF)
CVE-2022-29180

5.9MEDIUM

Key Information:

Vendor: Charmbracelet
Status: Charm
Vendor: CVE Published:; 7 May 2022

🔔 Create Charmbracelet Vulnerability Alert

What is CVE-2022-29180?

A vulnerability in which attackers could forge HTTP requests to manipulate the charm data directory to access or delete anything on the server. This has been patched and is available in release v0.12.1. We recommend that all users running self-hosted charm instances update immediately. This vulnerability was found in-house and we haven't been notified of any potential exploiters. ### Additional notes * Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data. * Users running the official Charm Docker images are at minimal risk because the exploit is limited to the containerized filesystem.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

charm >= 0.9.0, < 0.12.1

References

https://github.com/charmbracelet/charm/security/advisorie...

x_refsource_CONFIRM

https://github.com/charmbracelet/charm/commit/3c90668f955...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 7, 2022
Vulnerability Reserved
Apr 13, 2022

JSON

Charmbracelet

What is CVE-2022-29180?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.