Reporting Security Issues

If you would like to report a security issue, please consider giving us a “reasonable” warning time by contacting us privately. If we fail to respond, you are very welcome to publish the issue you have found.

Reporting

Please report security issues to rootdev@cern.ch

Known security issues

2023-11-26: Open port for control of web GUI allows read and write access to file system.

Affected releases: v6.30.00 v6.28.08 v6.28.06 v6.28.04 v6.28.02 v6.28.00 v6.26.10 v6.26.08 v6.26.06 v6.26.04 v6.26.02 v6.26.00.

Introduced by commit 466fbd63a5d8486cd9f566bec8f70298161693c9. For earlier versions, ROOT needed manual configuration to enable this.

Vulnerability: remote attackers can connect to a port, by default in the range 8800..9800, opened by ROOT’s WebGui subsystem, such as TBrowser, and control the process. As such, only interactive usage is affected. Any action that the process can perform can in principle be performed by the attacker, such as reading or modifying (including deleting) files.

Fixed by commit: