37 matches found
PT-2025-37089
Name of the Vulnerable Software and Affected Versions: Mockoon versions prior to 9.2.0 Description: Mockoon is a tool used to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving generates the server filename from user input, which is vulnerable to Pa...
GO-2024-3293 Full access to the host's OS file system using osfs.FS with Router.Static in goyave.dev/goyave/v5
Static file serving using router.Static and osfs.FS allows clients to access any file on the host file system using relative paths because the requested path is not sanitized and . and .. segments are accepted. The files will be returned as a response, provided the system user running the Go...
Mesop has a local file Inclusion via static file serving functionality
A vulnerability has been discovered and fixed in Mesop that could potentially allow unauthorized access to files on the server hosting the Mesop application. The vulnerability was related to insufficient input validation in a specific endpoint. This could have allowed an attacker to access files...
GHSA-83PV-QR33-2VCF Litestar and Starlite vulnerable to Path Traversal
Summary Local File Inclusion via Path Traversal in LiteStar Static File Serving A Local File Inclusion LFI vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to...
PT-2024-25030
Name of the Vulnerable Software and Affected Versions Litestar versions prior to 2.8.3 Litestar versions prior to 2.7.2 Litestar versions prior to 2.6.4 Description A Local File Inclusion LFI vulnerability has been discovered in the static file serving component of Litestar, allowing attackers to...
AZL-44319 CVE-2024-23334 affecting package python-aiohttp 3.6.2-3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...
Directory Traversal
Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Directory Traversal. Go Vulnerability Report: On Windows, restricted files can be accessed via os.DirFS and http.Dir.The os.DirFS function and http.Dir type provide access to a...
GO-2022-1027 Path traversal in github.com/cloudwego/hertz
Improper path sanitization on Windows permits path traversal attacks. Static file serving with the Static or StaticFS functions allows an attacker to access files from outside the filesystem root. This vulnerability does not affect non-Windows systems...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal if an unintended user is able to gain access to the diagnostic route, which may lead to information disclosure. Note: This only applies when MessageBus::Diagnostics is enabled it is not enabled by default. Details A...
Directory Traversal
Overview rollup-plugin-server is a rollup plugin to serve the bundle. Affected versions of this package are vulnerable to Directory Traversal. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function. PoC by JHU System Security Lab 1. Create a serv...
jetty: full server path revealed when using the default Error Handling
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a...
SUSE-SU-2018:2689-1 Security update for spark
This update for spark fixes the following security issue: - CVE-2018-9159: Fix a security problem in the serving of static files. bsc1087837...
DEBIAN-CVE-2018-12536
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a...
CVE-2017-16224
st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 redirect to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a...
Spark: Directory traversal vulnerability in version 2.5
A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there's no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data...
PYSEC-2015-6
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service memory consumption via a long line in a file...
UBUNTU-CVE-2015-0221
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service memory consumption via a long line in a file...