Vulnerability Description
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Obsidian | Obsidian | < 1.2.8 |
| Apple | Macos | - |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://obsidian.md/changelog/2023-05-03-desktop-v1.2.8/Release Notes
- https://starlabs.sg/advisories/23/23-2110/ExploitMitigationThird Party Advisory
- https://obsidian.md/changelog/2023-05-03-desktop-v1.2.8/Release Notes
- https://starlabs.sg/advisories/23/23-2110/ExploitMitigationThird Party Advisory
FAQ
What is CVE-2023-2110?
CVE-2023-2110 is a vulnerability with a CVSS score of 8.2 (HIGH). Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-...
How severe is CVE-2023-2110?
CVE-2023-2110 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-2110?
Check the references section above for vendor advisories and patch information. Affected products include: Obsidian Obsidian, Apple Macos, Linux Linux Kernel, Microsoft Windows.