CVEbaza.plSłownik CWECWE-515
Common Weakness Enumeration

CWE-515

Covert Storage Channel

Kategoria: BaseCVE: 1
Opis

Utajniony kanał przechowywania przesyła informacje poprzez ustawienie bitów przez jeden program i odczytanie tych bitów przez inny program. To, co odróżnia ten przypadek od zwykłego działania, to fakt, że bity służą do przesyłania zakodowanych informacji.

Description (EN)

A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.

Podatności CVE z CWE-515 (1)
6.0
CVSS
MEDIUM
CVE-2026-54316

Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.

pub. 2026-06-23
Informacje
ID: CWE-515
Typ: Base
Podatności: 1
MITRE CWE ↗
← Słownik CWE