CVE-2023-43620: Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device

September 20, 2023 (updated September 21, 2023)

An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.

References

github.com/advisories/GHSA-364c-vvqx-446c
github.com/schollz/croc/issues/595
nvd.nist.gov/vuln/detail/CVE-2023-43620
www.openwall.com/lists/oss-security/2023/09/08/2

Detect and mitigate CVE-2023-43620 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →