x/vulndb: potential Go vuln in github.com/cloudflare/cloudflared: GHSA-hgwp-4vp4-qmm2

[GoVulnBot]

In GitHub Security Advisory GHSA-hgwp-4vp4-qmm2, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cloudflare/cloudflared	2020.8.1	< 2020.8.1

Cross references:

• CVE-2020-24356 appears in issue x/vulndb: potential Go vuln in github.com/cloudflare/cloudflared: GHSA-hgwp-4vp4-qmm2 #845 NOT_IMPORTABLE
• GHSA-hgwp-4vp4-qmm2 appears in issue x/vulndb: potential Go vuln in github.com/cloudflare/cloudflared: GHSA-hgwp-4vp4-qmm2 #845 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 2020.8.1
    packages:
      - package: github.com/cloudflare/cloudflared
description: In `cloudflared` versions < 2020.8.1 on Windows, if an administrator
    has started `cloudflared` and set it to read configuration files from a certain
    directory, an unprivileged user can exploit a misconfiguration in order to escalate
    privileges and execute system-level commands. The misconfiguration was due to
    the way that `cloudflared` reads its configuration file. One of the locations
    that `cloudflared` reads from (C:\etc\) is not a secure by default directory due
    to the fact that Windows does not enforce access controls on this directory without
    further controls applied. A malformed config.yaml file can be written by any user.
    Upon reading this config, `cloudflared` would output an error message to a log
    file defined in the malformed config. The user-controlled log file location could
    be set to a specific location that Windows will execute when any user logs in.
cves:
  - CVE-2020-24356
ghsas:
  - GHSA-hgwp-4vp4-qmm2

[tatianab]

Duplicate of #845