Lucene search

GoogleOSV:GHSA-8CW9-5HMV-77W6

HistoryAug 06, 2022 - 5:21 a.m.

sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs

2022-08-0605:21:19

Google

osv.dev

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

45.5%

JSON

Impact

Access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted.

Patches

v20.12.7 (LTS)
v21.12.2 (LTS)
v22.6.1

References

https://github.com/sanic-org/sanic/issues/2478
https://github.com/sanic-org/sanic/pull/2495

For more information

If you have any questions or comments about this advisory:

Open an issue in the community forums
Ping us on the Discord server

CPENameOperatorVersion
saniceq0.8.3
saniceq0.5.1
saniceq0.3.1
saniceq20.6.0
saniceq0.5.0
saniceq22.3.1
saniceq20.6.3
saniceq0.1.0
saniceq20.12.2
saniceq21.9.1

Name	Operator	Version
sanic	eq	0.8.3
sanic	eq	0.5.1
sanic	eq	0.3.1
sanic	eq	20.6.0
sanic	eq	0.5.0
sanic	eq	22.3.1
sanic	eq	20.6.3
sanic	eq	0.1.0
sanic	eq	20.12.2
sanic	eq	21.9.1

Rows per page:

1-10 of 661

References

github.com/sanic-org/sanic

github.com/sanic-org/sanic/issues/2478

github.com/sanic-org/sanic/pull/2495

github.com/sanic-org/sanic/security/advisories/GHSA-8cw9-5hmv-77w6

nvd.nist.gov/vuln/detail/CVE-2022-35920

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

45.5%

JSON

Related for OSV:GHSA-8CW9-5HMV-77W6