sandstorm-io/sandstorm

sandstorm-io/sandstorm

Releases304

Frequency1 week 4 days

Last Release almost 3 years ago

Stars7.03K

Sandstorm is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager. | Actively sponsored by our friends at TestMu AI

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2017-6198 ↗	Feb 6, 2018Tuesday, 6 February 2018, 16:29	—	6.8 MEDIUM
The Supervisor in Sandstorm doesn't set and enforce the resource limits of a process. This allows remote attackers to cause a denial of service by launching a fork bomb in the sandbox, or by using a large amount of disk space.
CVE-2017-6199 ↗	Feb 6, 2018Tuesday, 6 February 2018, 16:29	—	7.5 HIGH
A remote attacker could bypass the Sandstorm organization restriction before build 0.203 via a comma in an email-address field.
CVE-2017-6200 ↗	Feb 6, 2018Tuesday, 6 February 2018, 16:29	—	4 MEDIUM
Sandstorm before build 0.203 allows remote attackers to read any specified file under /etc or /run via the sandbox backup function. The root cause is that the findFilesToZip function doesn't filter Line Feed (\n) characters in a directory name.
CVE-2017-6201 ↗	Feb 6, 2018Tuesday, 6 February 2018, 16:29	—	5.5 MEDIUM
A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly.