CVE-2022-40277: Improper Input Validation

September 30, 2022 (updated October 4, 2022)

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the ‘shell.openExternal’ function.

References

fluidattacks.com/advisories/skrillex/
github.com/laurent22/joplin
nvd.nist.gov/vuln/detail/CVE-2022-40277

Detect and mitigate CVE-2022-40277 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →