22 matches found
EUVD-2016-0746
Malware in sbrugna...
EUVD-2017-14086
Malware in sbrugna...
EUVD-2021-0971
Malware in sbrugna...
hyper-staticfile's location header incorporates user input, allowing open redirect
When hyper-staticfile performs a redirect for a directory request e.g. a request for /dir that redirects to /dir/, the Location header value was derived from user input the request path, simply appending a slash. The intent was to perform an origin-relative redirect, but specific inputs allowed...
GHSA-5WVV-Q5FV-2388 hyper-staticfile's location header incorporates user input, allowing open redirect
When hyper-staticfile performs a redirect for a directory request e.g. a request for /dir that redirects to /dir/, the Location header value was derived from user input the request path, simply appending a slash. The intent was to perform an origin-relative redirect, but specific inputs allowed...
Location header incorporates user input, allowing open redirect
When hyper-staticfile performs a redirect for a directory request e.g. a request for /dir that redirects to /dir/, the Location header value was derived from user input the request path, simply appending a slash. The intent was to perform an origin-relative redirect, but specific inputs allowed...
RUSTSEC-2022-0072 Location header incorporates user input, allowing open redirect
When hyper-staticfile performs a redirect for a directory request e.g. a request for /dir that redirects to /dir/, the Location header value was derived from user input the request path, simply appending a slash. The intent was to perform an origin-relative redirect, but specific inputs allowed...
GHSA-7P7C-PVVX-2VX3 hyper-staticfile's improper validation of Windows paths could lead to directory traversal attack
Path resolution in hyper-staticfile didn't correctly validate Windows paths, meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This on...
hyper-staticfile's improper validation of Windows paths could lead to directory traversal attack
Path resolution in hyper-staticfile didn't correctly validate Windows paths, meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This on...
RUSTSEC-2022-0069 Improper validation of Windows paths could lead to directory traversal attack
Path resolution in hyper-staticfile didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This onl...
Improper validation of Windows paths could lead to directory traversal attack
Path resolution in hyper-staticfile didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This onl...
GHSA-6H7W-FC84-X7P6 StaticFile.fromUrl can leak presence of a directory
Impact StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a directory, without first checking the...
Design/Logic Flaw
Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a...
CVE-2016-0715
Pivotal Cloud Foundry Elastic Runtime version 1.4.0 through 1.4.5, 1.5.0 through 1.5.11 and 1.6.0 through 1.6.11 is vulnerable to a remote information disclosure. It was found that original mitigation configuration instructions provided as part of CVE-2016-0708 were incomplete and could leave PHP...
Information disclosure
Pivotal Cloud Foundry Elastic Runtime version 1.4.0 through 1.4.5, 1.5.0 through 1.5.11 and 1.6.0 through 1.6.11 is vulnerable to a remote information disclosure. It was found that original mitigation configuration instructions provided as part of CVE-2016-0708 were incomplete and could leave PHP...
Pivotal Software Cloud Foundry cf-release and Staticfile buildpack authentication vulnerabilities
Pivotal Software Cloud Foundry cf-release and Staticfile buildpack are both products of Pivotal Software, Inc.Cloud Foundry cf-release is an open source Platform-as-a-Service PaaS cloud computing platform that provides Cloud Foundry cf-release is an open source Platform-as-a-Service PaaS cloud...
Design/Logic Flaw
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root...
CVE-2017-4970
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root...
CVE-2017-4970
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root...
CVE-2017-4970
CVE-2017-4970 describes a regression in the Cloud Foundry cf-release v255 and Staticfile buildpack v1.4.0–v1.4.3. The Staticfile buildpack regression causes the Staticfile.auth configuration to be ignored when the Staticfile is not present in the application root; apps that contain a Staticfile.a...