Files_antivirus doesn’t delete virus if uploaded through public link

Jul 31, 2020

  • Risk: low
  • CVSS v3 Base Score: 1.2
  • CVSS v3 Vector: AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N
  • CWE ID: CWE-280
  • CWE Name: Improper Handling of Insufficient Permissions or Privileges

Description

When using an object storage like S3 as the file store, if a user creates a public link to a folder where anonymous users can upload files, if a user uploads a virus the files antivirus app would detect the virus but fail to delete it due to permission issues.

Affected

  • files_antivirus version < 0.15.2 (CVE-2020-16144)

Action taken

Improve deletion logic of the file antivirus app