CVE-2021-34422 HIGH

CVE-2021-34422: Path traversal of file names in Keybase Client for Windows

Vendor Zoom Video Communications Inc
Product Keybase Client for Windows
Published November 11, 2021
Last update September 17, 2024

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Keybase Client for Windows before version 5.7.0 contains a path traversal vulnerability when checking the name of a file uploaded to a team folder. A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application which was not intended on their host machine. If a malicious user leveraged this issue with the public folder sharing feature of the Keybase client, this could lead to remote code execution.

Key dates

02Disclosure timeline

November 11, 2021 CVE published
September 17, 2024 Record updated