Bbot
Monthly
Arbitrary file write in BBOT's postman_download module enables a remote attacker to write files outside the intended output directory on a victim's system by controlling a Postman workspace name containing path traversal sequences. When a user runs the postman_download module, BBOT fetches workspace names from the Postman API and constructs local filesystem paths without sanitization, allowing pathlib to resolve paths into arbitrary locations on the victim's host. No public exploit has been identified at time of analysis, though the attack primitive is straightforward given the publicly committed fix details and low attack complexity.
Symlink-following path traversal in BBOT's github_workflows module (all versions prior to commit 16d9c42b6) allows a local attacker sharing the scan output directory to redirect workflow artifact writes to an attacker-chosen filesystem location. By planting a symlink at the predictable output path (output_dir/owner/repo) before a scan runs, the attacker causes BBOT to write GitHub workflow data outside the intended directory, achieving a limited file-write primitive. No public exploit is identified at time of analysis, and CVSS rates this Low (2.2) reflecting the high-complexity, local-only, victim-triggered attack surface.
Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM attackers who can substitute the realm parameter in a forged WWW-Authenticate Bearer challenge. When bbot contacts a Docker registry and receives a 401 response, the vulnerable module blindly trusts the attacker-supplied realm URL and forwards authentication material to an arbitrary endpoint outside the legitimate registry domain. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but an upstream patch commit is available on GitHub.
Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. No public exploit has been identified at time of analysis; the CVSS vector (AC:H/UI:R) constrains real-world risk to BBOT operators actively scanning attacker-controlled targets on affected OS distributions, but the high integrity impact (I:H) and zero privilege requirement (PR:N) are significant for red-team and CI/CD BBOT deployments running on legacy base images.
Arbitrary file write in BBOT's postman_download module enables a remote attacker to write files outside the intended output directory on a victim's system by controlling a Postman workspace name containing path traversal sequences. When a user runs the postman_download module, BBOT fetches workspace names from the Postman API and constructs local filesystem paths without sanitization, allowing pathlib to resolve paths into arbitrary locations on the victim's host. No public exploit has been identified at time of analysis, though the attack primitive is straightforward given the publicly committed fix details and low attack complexity.
Symlink-following path traversal in BBOT's github_workflows module (all versions prior to commit 16d9c42b6) allows a local attacker sharing the scan output directory to redirect workflow artifact writes to an attacker-chosen filesystem location. By planting a symlink at the predictable output path (output_dir/owner/repo) before a scan runs, the attacker causes BBOT to write GitHub workflow data outside the intended directory, achieving a limited file-write primitive. No public exploit is identified at time of analysis, and CVSS rates this Low (2.2) reflecting the high-complexity, local-only, victim-triggered attack surface.
Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM attackers who can substitute the realm parameter in a forged WWW-Authenticate Bearer challenge. When bbot contacts a Docker registry and receives a 401 response, the vulnerable module blindly trusts the attacker-supplied realm URL and forwards authentication material to an arbitrary endpoint outside the legitimate registry domain. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but an upstream patch commit is available on GitHub.
Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. No public exploit has been identified at time of analysis; the CVSS vector (AC:H/UI:R) constrains real-world risk to BBOT operators actively scanning attacker-controlled targets on affected OS distributions, but the high integrity impact (I:H) and zero privilege requirement (PR:N) are significant for red-team and CI/CD BBOT deployments running on legacy base images.