Zed
CVE-2023-50439
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission), ZED! for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before 2023.5, or ZEDMAIL for Windows before 2023.5 disclose the original path in which the containers were created, which allows an unauthenticated attacker to obtain some information regarding the context of use (project name, etc.).
AnalysisAI
ZED containers produced by PRIMX ZED!. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission), ZED! for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before 2023.5, or ZEDMAIL for Windows before 2023.5 disclose the original path in which the containers were created, which allows an unauthenticated attacker to obtain some information regarding the context of use (project name, etc.). Affected products include: Primx Zed\!, Primx Zedmail, Primx Zonecentral. Version information: before 2023.5.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Zed, a code editor, has an extension installer allows tar/gzip downloads. [CVSS 8.8 HIGH]
Zed code editor versions prior to 0.224.4 contain a path traversal vulnerability in ZIP extraction that fails to sanitiz
Zed code editor versions before 0.225.9 fail to properly validate symbolic links in Agent file tools, allowing attackers
Zed Editor versions prior to 0.219.4 fail to display tool invocation parameters during permission prompts or after execu
A directory traversal vulnerability with remote code execution in Prim'X Zed!. Rated critical severity (CVSS 9.8), this
Remote code execution in Zed code editor versions prior to 0.227.1 occurs when a user opens a folder containing a malici
Arbitrary code execution in the Zed code editor (versions prior to 0.229.0) is possible by abusing its terminal tool per
Command injection in Zed code editor versions prior to 0.229.0 allows bypass of the terminal tool's permission allowlist
Remote command execution in Zed code editor versions prior to 0.227.1 occurs when opening SSH or WSL remote terminals be
By default, .ZED containers produced by PRIMX ZED!. Rated high severity (CVSS 7.5), this vulnerability is remotely explo
{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands c
ZED containers produced by PRIMX ZED!. Rated medium severity (CVSS 5.5), this vulnerability is no authentication require
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today