The Cozy controller starts each application with its own Linux user. In the unpatched version, when an application was launched, the controller used the proper Uid with a gid equal to zero (root group). Therefore, the application could access files that where supposed to be read only by the root group.
If a user installs on his/her Cozy instance a malicious application, it could use this vulnerability to access files that it should not be able to access. Considering the very limited number of applications available today on the Cozy platform, we think the impact of this vulnerability is moderate.
This vulnerability, found yesterday, was patched as quickly as we could and version 2.0.19, which contains the patch, has been released and is ready for deployment.
Instances hosted by the Cozy team on the cozycloud.cc domain are protected as we have updated our systems. No further action is required for these instances.
Self-hosted instances, which are not managed by the Cozy Cloud team MUST be updated. To apply the update, two methods can be used:
From the Cozy home page, click on "Manage your apps" then "update platform". You're done!
Or, from the command line interface, type the following commands:
sudo supervisorctl stop cozy-controller sudo npm -g update cozy-controller sudo supervisorctl start cozy-controller
Questions related to this issue are welcome on the Cozy Cloud forum.