Lucene search

GitHub Advisory DatabaseGHSA-8CW9-5HMV-77W6

HistoryAug 06, 2022 - 5:21 a.m.

sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs

2022-08-0605:21:19

CWE-22

GitHub Advisory Database

github.com

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

45.5%

JSON

Impact

Access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted.

Patches

v20.12.7 (LTS)
v21.12.2 (LTS)
v22.6.1

References

https://github.com/sanic-org/sanic/issues/2478
https://github.com/sanic-org/sanic/pull/2495

For more information

If you have any questions or comments about this advisory:

Open an issue in the community forums
Ping us on the Discord server

Affected configurations

Vulners

Node

sanic_projectsanicRange<20.12.7

sanic_projectsanicRange<21.12.2

sanic_projectsanicRange<22.6.1

CPENameOperatorVersion
saniclt20.12.7
saniclt21.12.2
saniclt22.6.1

Name	Operator	Version
sanic	lt	20.12.7
sanic	lt	21.12.2
sanic	lt	22.6.1

References

github.com/advisories/GHSA-8cw9-5hmv-77w6

github.com/sanic-org/sanic/issues/2478

github.com/sanic-org/sanic/pull/2495

github.com/sanic-org/sanic/security/advisories/GHSA-8cw9-5hmv-77w6

nvd.nist.gov/vuln/detail/CVE-2022-35920

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

45.5%

JSON

Related for GHSA-8CW9-5HMV-77W6