diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| diffoscope(PyPI) | 0 | 256 | N/A |
CVSS Metrics
