CVE-2025-58158 (CNNVD-202508-3506)
中文标题:
Harness 安全漏洞
英文标题:
Harness Affected by Arbitrary File Write in Gitness LFS server
漏洞描述
中文描述:
Harness是Harness开源的一个开发平台。 Harness 3.3.0之前版本存在安全漏洞,该漏洞源于上传路径清理不当,可能导致任意文件写入。
英文描述:
Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| harness | harness | < 3.3.0 | - | - |
cpe:2.3:a:harness:harness:<_3.3.0:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-58158 |
2025-11-11 15:23:30 | 2025-11-11 07:40:45 |
| NVD | nvd_CVE-2025-58158 |
2025-11-11 15:01:01 | 2025-11-11 07:48:32 |
| CNNVD | cnnvd_CNNVD-202508-3506 |
2025-11-11 15:12:55 | 2025-11-11 08:00:08 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202508-3506
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']